search

nael-lilik / mconf

Automatically exported from code.google.com/p/mconf
0 stars 0 forks source link

Change the mobile demo as discussed with the BigBlueButton core team #174

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
(Here's the message sent by Fred:)

We'll add an api demo called mobile.jsp accessible from

  http://<server_name/demo/mobile.jsp

There will be a configuration file

  http://<server_name/demo/mobile_conf.jsp

that contains a randomlly generated mobileSalt (password).

<%!
// This is the security salt that must match the value set in the
BigBlueButton server
String mobileSalt = "03b07";
%>

which is a 5-digits in length ... short enough for someone to enter
into their mobile device.  This isn't meant to be super-secure, but it
does prevent someone from making an arbitrary call to the server to
get all the meetings and passwords.

The mobile client can them make the call

    http://<server_name/demo/mobile.jsp?action=getMeetings&checksum=3423423423

where checksum is created by a sha-hmac of the url + salt
(http://<server_name/demo/mobile.jsp?action=getMeetings03b07) and the
mobileSalt (03b07).

To make this slightly more secure, you could enhance mobile.jsp to
provide a timestamp (Unix epoch)

   http://<server_name/demo/mobile.jsp?action=getTimeStamp

which could be included in the subsequent call to getMeetings

     http://<server_name/demo/mobile.jsp?action=getMeetings&timeStamp=23423232checksum=3423423423

This way, the server will only accept calls with a timeStamp within 60
seconds of the current time.  This prevents someone from sniffing the
above URL and reusing it at a later time.

You can use the checksum for the join as well, but we'll be adding a
startTime parameter to the join request which will make it unusable
after the meeting ends.

Original issue reported on code.google.com by fceca...@gmail.com on 4 Jul 2011 at 2:32

GoogleCodeExporter commented 9 years ago

Original comment by fceca...@gmail.com on 4 Jul 2011 at 6:08

GoogleCodeExporter commented 9 years ago 
the android app is already accessing the server with a password and timestamp. 
It's working how it should

Original comment by ale.lion...@gmail.com on 18 Jul 2011 at 5:29

GoogleCodeExporter commented 9 years ago 
It's already integrated in the master branch of the BigBlueButton project.

The mobile-demo branch of the mconf-mobile repository must be integrated to the 
master, and tested with a production server.

Original comment by fceca...@gmail.com on 7 Aug 2011 at 11:30

GoogleCodeExporter commented 9 years ago 
There are many issues testing this new demo against the test.bigbluebutton.org 
server. The main problem is related to some libraries (HttpClient and 
dependencies) that must be present in the Tomcat6 lib folder. 

Blocking this issue until the bigbluebutton vm 0.8 is released.

Original comment by fceca...@gmail.com on 12 Aug 2011 at 6:37

GoogleCodeExporter commented 9 years ago 
It's working great in our mconfdev.inf.ufrgs.br server, with all the code 
refactored.

Original comment by fceca...@gmail.com on 12 Aug 2011 at 6:38

GoogleCodeExporter commented 9 years ago 
The master branch is already working with both mconf.org server AND 
demo.bigbluebutton.org server.

Original comment by fceca...@gmail.com on 7 Oct 2011 at 5:57