Dear Maxim,
Based on your vector, we found out the cause of the error (see below). Your
further guidance would help us resolve the error.
Cause
---------
In 3.3.0, proxy server is capturing JSESSIONID. In 3.3.2, proxy server is NOT
ABLE TO capture JSESSIONID.
QUESTION
----------------
Could you please advise in publishing session cookie, how is OM 3.3.2 different
from 3.3.0? Proxy server logs are below. Thank you.
Proxy server logs
-----------------
In OM 3.3.0, proxy server is capturing JSESSIONID in each line.
Sep 21 13:36:07 localhost proxy-server[10415]: 192.168.100.152:56085
[21/Sep/2017:13:36:07.914] webapps-frontend~ subdomain-backend/openmeetings
0/0/0/3/10 200 86916 JSESSIONID=66BC3A6F228503A5D39F4B8E6F1FF951 - ----
6/6/0/0/0 0/0 {<ourdomain>.com||https://<ourdomain>.com/Co}
{|86575|max-age=||||||||||cache|||||} "GET
/openmeetings/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js
HTTP/1.1"
In OM 3.3.2, JSESSIONID is missing.
Sep 21 13:39:23 localhost proxy-server[10517]: 192.168.100.152:56391
[21/Sep/2017:13:39:23.450] webapps-frontend~ subdomain-backend/openmeetings
0/0/1/4/8 200 86916 - - ---- 6/6/0/0/0 0/0
{<ourdomain>.com||https://<ourdomain>.com/Co}
{|86575|max-age=||||||||||cache|||||} "GET
/openmeetings/wicket/resource/org.apache.wicket.resource.JQueryResourceReference/jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js
HTTP/1.1"
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages
from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:[email protected]]
Sent: Thursday, September 21, 2017 9:50 AM
To: Openmeetings user-list <[email protected]>;
[email protected]
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
Not sure what is going on
Maybe you can check with wireshark what data is being sent/received?
On Thu, Sep 21, 2017 at 3:05 PM, Coscend@OM <[email protected]
<mailto:[email protected]> > wrote:
Dear Maxim,
Below is the summary (and detail) of browser log. Why is Form data being
blocked? Any vectors to resolve this would be appreciated.
Summary of browser log
==================
Browser / Network tab log has status 200 for all requests except cookie (302
status for redirection via proxy).
All security headers enabled.
The signin field at the end is ‘(empty)’.
‘Form data’ (login and pass) is missing.
Browser log Detailed
===============
Browser log of request
https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=BD8C3A0FC93992B0A980ADC9690B2F94?1-1.0-signin&_=1505980053143&navigatorAppName=Netscape&navigatorAppVersion=5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&screenWidth=1600&screenHeight=900&screenColorDepth=24&utcOffset=-6&utcDSTOffset=-5&browserWidth=2000&browserHeight=187&hostname=coscend.fortiddns.com&codebase=https%3A%2F%2Fcoscend.fortiddns.com%2Fopenmeetings%2Fsignin%3Bjsessionid%3DBD8C3A0FC93992B0A980ADC9690B2F94&settings=%7B%7D
Request
URL:https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5?2-1.0-
<https://ourdomain.com/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5?2-1.0-&_=1505979797255&;>
&_=1505979797255&
Request Method:GET
Status Code:200
Remote Address:76.186.214.195:443 <http://76.186.214.195:443>
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type, Accept,
X-CSRF-Token, X-XSRF-TOKEN
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:*
Cache-Control:nocache, no-store
Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
Content-Type:text/xml;charset=UTF-8
Date:Thu, 21 Sep 2017 07:43:18 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Origin:http://Coscend.Fortiddns.com
Pragma:no-cache
Referrer-Policy:no-referrer-when-downgrade
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
Transfer-Encoding:chunked
X-Backend-Server-Name:openmeetings
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/xml, text/xml, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
DNT:1
Host:coscend.fortiddns.com <http://coscend.fortiddns.com>
Referer:https://ourdomain.com/openmeetings/signin;jsessionid=74112B08358FDA7D4EE6F1FB8A85D0E5
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/60.0.3112.113 Safari/537.36
Wicket-Ajax:true
Wicket-Ajax-BaseURL:signin
X-Requested-With:XMLHttpRequest
Query String Parameters
view source
view URL encoded
2-1.0-:
_:1505979797255
(empty)
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages
from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:[email protected]
<mailto:[email protected]> ]
Sent: Thursday, September 21, 2017 2:27 AM
To: Openmeetings user-list <[email protected]
<mailto:[email protected]> >; [email protected]
<mailto:[email protected]>
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
You have no chances to see "WebSocketBehavior::onConnect " log message due to
your login is unsuccessful
as you are saying there are no errors in the logs ...
Are there any errors in browser console? network tab?
On Thu, Sep 21, 2017 at 2:08 PM, Coscend@OM <[email protected]
<mailto:[email protected]> > wrote:
Dear Maxim,
CSRF is not violated in proxy scenario because:
1. No OM log records of CSRF violation.
2. Also, 3.3.0 is working fine that has CSRF event listener enabled
(Application.Java @235). 3.3.0 is working fine under same proxy setting and
same server / environment.
-----------Log DIFFs---------Detailed logs at the end.
DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login: the
following lines are MISSING when it FAILS:
DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6] -
WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3,
session: E73B6C62D991E218215709F7F7095547, key: org.apache.wicket.protocol.ws
<http://org.apache.wicket.protocol.ws> .api.registry.PageIdKey@0]
DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session 'E73B6C62D991E218215709F7F7095547' and page id '0'
DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7] -
WebSocketBehavior:: pingTimer is attached
-------------Relevant DIFF of 3.3.2 and 3.3.0 files-----------
Could any of these changes require some additional proxy settings?
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/ISlaveHTTPConnectionManager.jav
a
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/SessionVariablesUtil.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/ServerUtil.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java
changed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/DatabaseStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/HashMapStore.java
removed
openmeetings-core/src/main/java/org/apache/openmeetings/core/session/store/IClientPersistenceStore.
java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java
added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java
Changed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java
Added
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java>
openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java
Added
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java>
changed
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ServerDao.java
removed
<https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java>
openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java
changed
Logs: FAILED LOGIN
===================
Step 1: Load Login Page
----------
DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session 'D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
Step 2: POST / Authentication
--------
DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5] -
login:: 1 users were found
DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] -
Level Login :: [GRANTED]
DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5] -
loginUser [GroupUser [id=1, moderator=false, group=Group [id=1, name=Coscend,
deleted=false], user=User [id=1, firstname=firstname, lastname=lastname,
login=Coscend.Insights, pictureuri=null, deleted=false, languageId=1,
address=Address [id=1, country=US, street=null, town=null, zip=null,
deleted=false, email=<>@Coscend.com, phone=null], externalId=null,
externalType=null, type=user]]]
DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil [105-6083-exec-5] -
Level Admin :: [GRANTED]
DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session 'EE17FFD4E063A1234AF5E595D772F897' and page id '1'
DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao [105-6083-exec-1]
- getActiveLdapConfigs
DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore [ageSavingThread]
- Inserted data for session '1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages
from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Terms_and_Conditions.html
From: Maxim Solodovnik [mailto:[email protected]
<mailto:[email protected]> ]
Sent: Thursday, September 21, 2017 12:41 AM
To: Openmeetings user-list <[email protected]
<mailto:[email protected]> >; [email protected]
<mailto:[email protected]>
Subject: Re: 3.3.2 Snapshot: Login not Posting via Proxy
In case of CSRF you should have the record in the logs CSRF was violated
Is it the case?
On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <[email protected]
<mailto:[email protected]> > wrote:
Dear OpenMeetings Users,
We would appreciate any vectors to resolve the following issue:
We successfully installed, configured, logged in OM 3.3.2 Snapshot
1. Internally, i.e., http://IP:port/openmeetings
2. Externally, i.e., http:// <http://%3cour.FQDN.name%3e:port/openmeetings>
<our.FQDN.name>:port/openmeetings
OM logs have a line:
DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application [105-6083-exec-2] -
Adding online client: 63e8a860-65c6-4687-a7e0-ca435ca21ec6, room: null
ISSUE
--------
However, we are unable to login to OM 3.3.2 Snapshot via Proxy server. When
we click on submit username/password, it reloads the login page.
OM logs are MISSING this line: “Adding online client:…”
QUESTIONS
--------
1. What has changed between OM 3.3.2 and 3.3.0 that does not POST login
credentials? Anything to do with Session variables and session request
handlers?
2. We have used the proxy server settings that are working perfectly with
OM 3.3.0 in which CSRF and CSP, XSS were introduced.
Alteametasoft Demo server: What additional proxy settings needed to be added
to Apache Web server to enable OM 3.3.2?
Source of proxy server settings:
i) CSRF: http://markmail.org/message/o4szinpxt4e2tzch
ii) Proxy logging: http://markmail.org/message/mft3m5bdjeqxwicw
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com <http://www.coscend.com/>
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages
from Coscend Communications Solutions' posted at:
http://www.Coscend.com/Terms_and_Conditions.html
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
Virus-free.
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
www.avg.com
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
--
WBR
Maxim aka solomax
---
This email has been checked for viruses by AVG.
http://www.avg.com
