Re: 3.3.2 Snapshot: Login not Posting via Proxy

Maxim Solodovnik Thu, 21 Sep 2017 20:03:46 -0700

JSESSIONID should be in the cookies
And since everything works without proxy I guess it is in the cookies


On Fri, Sep 22, 2017 at 2:04 AM, Coscend@OM <[email protected]> wrote:

> Dear Maxim,
>
>
>
> Based on your vector, we found out the cause of the error (see below).
> Your further guidance would help us resolve the error.
>
>
>
> Cause
>
> ---------
>
> In 3.3.0, proxy server is capturing JSESSIONID.  In 3.3.2, proxy server is
> NOT ABLE TO capture JSESSIONID.
>
>
>
>
>
> QUESTION
>
> ----------------
>
> Could you please advise in publishing session cookie, how is OM 3.3.2
> different from 3.3.0?  Proxy server logs are below.  Thank you.
>
>
>
>
>
> Proxy server logs
>
> -----------------
>
> In OM 3.3.0, proxy server is capturing JSESSIONID in each line.
>
> Sep 21 13:36:07 localhost proxy-server[10415]: 192.168.100.152:56085
> [21/Sep/2017:13:36:07.914] webapps-frontend~ subdomain-backend/openmeetings
> 0/0/0/3/10 200 86916 JSESSIONID=66BC3A6F228503A5D39F4B8E6F1FF951 - ----
> 6/6/0/0/0 0/0 {<ourdomain>.com||https://<ourdomain>.com/Co}
> {|86575|max-age=||||||||||cache|||||} "GET /openmeetings/wicket/resource/
> org.apache.wicket.resource.JQueryResourceReference/
> jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js HTTP/1.1"
>
>
>
>
>
> In OM 3.3.2, JSESSIONID is missing.
>
> Sep 21 13:39:23 localhost proxy-server[10517]: 192.168.100.152:56391
> [21/Sep/2017:13:39:23.450] webapps-frontend~ subdomain-backend/openmeetings
> 0/0/1/4/8 200 86916 - - ---- 6/6/0/0/0 0/0 
> {<ourdomain>.com||https://<ourdomain>.com/Co}
> {|86575|max-age=||||||||||cache|||||} "GET /openmeetings/wicket/resource/
> org.apache.wicket.resource.JQueryResourceReference/
> jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js HTTP/1.1"
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
> *From:* Maxim Solodovnik [mailto:[email protected]]
> *Sent:* Thursday, September 21, 2017 9:50 AM
> *To:* Openmeetings user-list <[email protected]>;
> [email protected]
> *Subject:* Re: 3.3.2 Snapshot: Login not Posting via Proxy
>
>
>
> Not sure what is going on
>
> Maybe you can check with wireshark what data is being sent/received?
>
>
>
> On Thu, Sep 21, 2017 at 3:05 PM, Coscend@OM <[email protected]>
> wrote:
>
> Dear Maxim,
>
>
>
> Below is the summary (and detail) of browser log.  Why is Form data being
> blocked?  Any vectors to resolve this would be appreciated.
>
>
>
> Summary of browser log
>
> ==================
>
> Browser / Network tab log has status 200 for all requests except cookie
> (302 status for redirection via proxy).
>
> All security headers enabled.
>
> The signin field at the end is ‘(empty)’.
>
> ‘Form data’ (login and pass) is missing.
>
>
>
>
>
> Browser log Detailed
>
> ===============
>
> Browser log of request https://ourdomain.com/openmeetings/wicket/
> bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=
> BD8C3A0FC93992B0A980ADC9690B2F94?1-1.0-signin&_=1505980053143&
> navigatorAppName=Netscape&navigatorAppVersion=5.0%20(
> Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(
> KHTML%2C%20like%20Gecko)%20Chrome%2F60.0.3112.113%20Safari%2F537.36&
> navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&
> navigatorJavaEnabled=false&navigatorLanguage=en-US&
> navigatorPlatform=Win32&navigatorUserAgent=Mozilla%
> 2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%
> 20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%
> 20Chrome%2F60.0.3112.113%20Safari%2F537.36&screenWidth=
> 1600&screenHeight=900&screenColorDepth=24&utcOffset=-6&utcDSTOffset=-5&
> browserWidth=2000&browserHeight=187&hostname=coscend.fortiddns.com&
> codebase=https%3A%2F%2Fcoscend.fortiddns.com%2Fopenmeetings%2Fsignin%
> 3Bjsessionid%3DBD8C3A0FC93992B0A980ADC9690B2F94&settings=%7B%7D
>
>
>
> Request URL:https://ourdomain.com/openmeetings/wicket/
> bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=
> 74112B08358FDA7D4EE6F1FB8A85D0E5?2-1.0-&_=1505979797255&
>
> Request Method:GET
>
> Status Code:200
>
> Remote Address:76.186.214.195:443
>
> Referrer Policy:no-referrer-when-downgrade
>
> Response Headers
>
> view source
>
> Access-Control-Allow-Credentials:true
>
> Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type,
> Accept, X-CSRF-Token, X-XSRF-TOKEN
>
> Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS
>
> Access-Control-Allow-Origin:*
>
> Cache-Control:nocache, no-store
>
> Content-Security-Policy:default-src 'self'; style-src 'self'
> 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
>
> Content-Type:text/xml;charset=UTF-8
>
> Date:Thu, 21 Sep 2017 07:43:18 GMT
>
> Expires:Thu, 01 Jan 1970 00:00:00 GMT
>
> Origin:http://Coscend.Fortiddns.com
>
> Pragma:no-cache
>
> Referrer-Policy:no-referrer-when-downgrade
>
> Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
>
> Transfer-Encoding:chunked
>
> X-Backend-Server-Name:openmeetings
>
> X-Content-Type-Options:nosniff
>
> X-Frame-Options:SAMEORIGIN
>
> X-XSS-Protection:1; mode=block
>
> Request Headers
>
> view source
>
> Accept:application/xml, text/xml, */*; q=0.01
>
> Accept-Encoding:gzip, deflate, br
>
> Accept-Language:en-US,en;q=0.8
>
> Connection:keep-alive
>
> DNT:1
>
> Host:coscend.fortiddns.com
>
> Referer:https://ourdomain.com/openmeetings/signin;jsessionid=
> 74112B08358FDA7D4EE6F1FB8A85D0E5
>
> User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
>
> Wicket-Ajax:true
>
> Wicket-Ajax-BaseURL:signin
>
> X-Requested-With:XMLHttpRequest
>
> Query String Parameters
>
> view source
>
> view URL encoded
>
> 2-1.0-:
>
> _:1505979797255
>
> (empty)
>
>
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
> *From:* Maxim Solodovnik [mailto:[email protected]]
> *Sent:* Thursday, September 21, 2017 2:27 AM
> *To:* Openmeetings user-list <[email protected]>;
> [email protected]
> *Subject:* Re: 3.3.2 Snapshot: Login not Posting via Proxy
>
>
>
> You have no chances to see "WebSocketBehavior::onConnect " log message
> due to your login is unsuccessful
>
>
>
> as you are saying there are no errors in the logs ...
>
>
>
> Are there any errors in browser console? network tab?
>
>
>
> On Thu, Sep 21, 2017 at 2:08 PM, Coscend@OM <[email protected]>
> wrote:
>
> Dear Maxim,
>
>
>
> CSRF is not violated in proxy scenario because:
>
> 1.     No OM log records of CSRF violation.
>
> 2.     Also, 3.3.0 is working fine that has CSRF event listener enabled
> (Application.Java @235).  3.3.0 is working fine under same proxy setting
> and same server / environment.
>
>
>
> -----------Log DIFFs---------Detailed logs at the end.
>
> DIFF between FAILED (via proxy) vs SUCCESSFUL (without proxy) login:  the
> following lines are MISSING when it FAILS:
>
> DEBUG 09-20 11:05:33.339 631732 229 o.a.o.w.c.MainPanel [105-6083-exec-6]
> - WebSocketBehavior::onConnect [uid: 648aabcf-2bc0-4df5-b891-065e3ffde9c3,
> session: E73B6C62D991E218215709F7F7095547, key:
> org.apache.wicket.protocol.ws.api.registry.PageIdKey@0]
>
> DEBUG 09-20 11:05:33.342 631735 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> E73B6C62D991E218215709F7F7095547' and page id '0'
>
> DEBUG 09-20 11:05:33.351 631744 238 o.a.o.w.c.MainPanel [105-6083-exec-7]
> - WebSocketBehavior:: pingTimer is attached
>
>
>
> -------------Relevant DIFF of 3.3.2 and 3.3.0 files-----------
>
> Could any of these changes require some additional proxy settings?
>
>
>
> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/
> ISlaveHTTPConnectionManager.jav
> a
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/remote/MainService.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/MainService.java>
>
> Changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/remote/UserService.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/UserService.java>
>
> changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/util/
> SessionVariablesUtil.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/ServerUtil.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/SessionManager.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/session/SessionManager.java>
>
> changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/DatabaseStore.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/HashMapStore.java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/session/store/IClientPersistenceStore.
> java
>
> removed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/IClientUtil.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/IClientUtil.java>
>
> added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/WebSocketHelper.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/WebSocketHelper.java>
>
> Changed
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageAll.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageAll.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageChat.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageChat.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageRoom.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoom.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageRoomMsg.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageRoomMsg.java>
>
> Added
>
> openmeetings-core/src/main/java/org/apache/openmeetings/
> core/util/ws/WsMessageUser.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-core/src/main/java/org/apache/openmeetings/core/util/ws/WsMessageUser.java>
>
> Added
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/ISessionManager.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/ISessionManager.java>
>
> changed
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/ServerDao.java
>
> removed
>
> openmeetings-db/src/main/java/org/apache/openmeetings/db/
> dao/server/SessiondataDao.java
> <https://fossies.org/linux/www/apache-openmeetings-3.3.1-src.tar.gz/openmeetings-db/src/main/java/org/apache/openmeetings/db/dao/server/SessiondataDao.java>
>
> changed
>
>
>
>
>
> Logs:  FAILED LOGIN
>
> ===================
>
> Step 1:  Load Login Page
>
> ----------
>
> DEBUG 09-20 15:33:59.748 388830 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:33:59.915 388997 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:33:59.947 389029 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:34:00.236 389318 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
> DEBUG 09-20 15:34:00.316 389398 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> D6BC338DED09B3A5E5105569B4D39C01' and page id '6'
>
>
>
> Step 2:  POST / Authentication
>
> --------
>
> DEBUG 09-20 15:35:50.776 499858 642 o.a.o.d.d.u.UserDao [105-6083-exec-5]
> - login:: 1 users were found
>
> DEBUG 09-20 15:35:51.228 500310 40 o.a.o.d.u.AuthLevelUtil
> [105-6083-exec-5] - Level Login :: [GRANTED]
>
> DEBUG 09-20 15:35:51.229 500311 659 o.a.o.d.d.u.UserDao [105-6083-exec-5]
> - loginUser [GroupUser [id=1, moderator=false, group=Group [id=1,
> name=Coscend, deleted=false], user=User [id=1, firstname=firstname,
> lastname=lastname, login=Coscend.Insights, pictureuri=null, deleted=false,
> languageId=1, address=Address [id=1, country=US, street=null, town=null,
> zip=null, deleted=false, email=<>@Coscend.com, phone=null],
> externalId=null, externalType=null, type=user]]]
>
> DEBUG 09-20 15:35:51.233 500315 40 o.a.o.d.u.AuthLevelUtil
> [105-6083-exec-5] - Level Admin :: [GRANTED]
>
> DEBUG 09-20 15:35:51.236 500318 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> EE17FFD4E063A1234AF5E595D772F897' and page id '1'
>
> DEBUG 09-20 15:35:51.286 500368 87 o.a.o.d.d.s.LdapConfigDao
> [105-6083-exec-1] - getActiveLdapConfigs
>
> DEBUG 09-20 15:35:51.297 500379 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.468 500550 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.501 500583 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.812 500894 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
> DEBUG 09-20 15:35:51.892 500974 91 o.w.d.h.HazelcastDataStore
> [ageSavingThread] - Inserted data for session '
> 1ECB3A19302921EF126DE4FD76C82D5F' and page id '1'
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
> *From:* Maxim Solodovnik [mailto:[email protected]]
> *Sent:* Thursday, September 21, 2017 12:41 AM
> *To:* Openmeetings user-list <[email protected]>;
> [email protected]
> *Subject:* Re: 3.3.2 Snapshot: Login not Posting via Proxy
>
>
>
> In case of CSRF you should have the record in the logs CSRF was violated
>
> Is it the case?
>
>
>
> On Thu, Sep 21, 2017 at 3:56 AM, Coscend@OM <[email protected]>
> wrote:
>
> Dear OpenMeetings Users,
>
>
>
> We would appreciate any vectors to resolve the following issue:
>
>
>
> We successfully installed, configured, logged in OM 3.3.2 Snapshot
>
> 1.     Internally, i.e., http://IP:port/openmeetings
>
> 2.     Externally, i.e., http://<our.FQDN.name>:port/openmeetings
>
> OM logs have a line:
>
> DEBUG 09-20 14:45:14.219 221956 388 o.a.o.w.a.Application
> [105-6083-exec-2] - Adding online client: 
> 63e8a860-65c6-4687-a7e0-ca435ca21ec6,
> room: null
>
>
>
> ISSUE
>
> --------
>
> However, we are unable to login to OM 3.3.2 Snapshot via Proxy server.
>   When we click on submit username/password, it reloads the login page.
>
> OM logs are MISSING this line:  “Adding online client:…”
>
>
>
>
>
> QUESTIONS
>
> --------
>
>
>
> 1.     What has changed between OM 3.3.2 and 3.3.0 that does not POST
> login credentials?  Anything to do with Session variables and session
> request handlers?
>
> 2.     We have used the proxy server settings that are working perfectly
> with OM 3.3.0 in which CSRF and CSP, XSS were introduced.
>
> Alteametasoft Demo server:  What additional proxy settings needed to be
> added to Apache Web server to enable OM 3.3.2?
>
>
>
> Source of proxy server settings:
>
> i)              CSRF:  http://markmail.org/message/o4szinpxt4e2tzch
>
> ii)             Proxy logging:  http://markmail.org/message/
> mft3m5bdjeqxwicw
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> www.Coscend.com <http://www.coscend.com/>
>
> ------------------------------------------------------------------
>
> *Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…*
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
> <http://www.coscend.com/Terms_and_Conditions.html>
>
>
>
>
>
>
>
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
> Virus-free. www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>
>
>
>
>
> --
>
> WBR
> Maxim aka solomax
>



-- 
WBR
Maxim aka solomax

Re: 3.3.2 Snapshot: Login not Posting via Proxy

Reply via email to