Authentication in DimDim 4.5

alex_ct
2008-12-08
2013-05-01
  • alex_ct
    alex_ct
    2008-12-08

    Hi

    Congratulations for a good release and documentation. I've followed your documentation
    and installed DimDim 4.5 on CentOS 5.2. One thing I would like advice about is how to activate some kind of authentication. Right now anyone can start a conference and that in most cases in undesirable. In the previous releases you had the option to change

    dimdim.authenticationPolicy=NO_CHECK in the dimdim.properties file to
    CHECK_EMAIL  or CHECK_KEY and later edit

    dimdimPresenters.txt

    dimdim.presenterEmailsFile=dimdimPresenters.txt

    Can this be done in version 4.5? Would you like to describe how it's done?

    Sincerely
    Alex Contis

     
    • Greg S
      Greg S
      2008-12-11

      I have also been attempting to figure this out. Though not successful, here's what I have found out so far. I'm looking through the config file:

      /usr/local/dimdim/ConferenceServer/apache-tomcat-5.5.17/webapps/dimdim/WEB-INF/classes/resources/dimdim.properties

      And I found the following entries:

      dimdim.dimdimAdminsFile=dimdimAdmins.txt
      start_meeting_user_email=admin
      start_meeting_user_name=Host

      Which reference:

      /usr/local/dimdim/ConferenceServer/apache-tomcat-5.5.17/webapps/dimdim/WEB-INF/dimdimAdmins.txt

      By default there are two users listed:

      admin,bugsbunnyshow

      When I change start_meeting_user_email to something else and try to start the meeting via the main page, it says the user is unauthorized. So it appears that authentication is enabled by default and the application automatically passes a default username (admin). The funny thing is, when I changed start_meeting_user_email and then tried to pass an authorized user name via the HTTP GET method described in the documentation, it didn't seem to work. I could be doing something wrong... Wouldn't be the first time...

      Anyway, if anyone else has any other ideas, let us know...

       
    • Greg S
      Greg S
      2008-12-11

      Alex,

      Actually you were on point exactly with the new version..

      Here's what I did.

      added the following line to /usr/local/dimdim/ConferenceServer/apache-tomcat-5.5.17/webapps/dimdim/WEB-INF/classes/resources/dimdim.properties

      dimdim.authenticationPolicy=CHECK_EMAIL

      Then I commented out the following lines:

      ## start_meeting_user_email=admin
      ## start_meeting_user_name=Host

      Next I changed the dimdimPresenters.txt file to only include my email address

      Then I edited /usr/local/dimdim/ConferenceServer/apache-tomcat-5.5.17/webapps/dimdim/html/signin/signin.jsp to provide input for the username/email address:

      Change:

      <tr>
            <td width="30%" align="right"><dm:I18NDisplayString component="forms" dictionary="ui_strings" key="meetingname.label"/></td>
            <td width="70%" align="left">
            <input type="text" name="confName" id="confName" class="TextBox_format" TABINDEX="2" />
            <input type="text" name="email" id="email" class="Hide"/>
            <input type="text" name="displayName" id="displayName" class="Hide"/>
            </td>
      </tr>

      To:

      <tr>
            <td width="30%" align="right"><dm:I18NDisplayString component="forms" dictionary="ui_strings" key="meetingname.label"/><br/><br/>Username</td>
            <td width="70%" align="left">
            <input type="text" name="confName" id="confName" class="TextBox_format" TABINDEX="2" />
            <input type="text" name="email" id="email" class="TextBox_format"/>
            <input type="text" name="displayName" id="displayName" class="Hide"/>
            </td>
      </tr>

      Restart the server and works like a charm. I figured out that somehow the application is passing admin@dimdim.com as the default presenter ID (that's why it auto-populates), however I couldn't find out where to change that. I think it's in one of the java .class files, but I'm no developer, so that's going to remain a mystery until someone smarter than me answers some questions on here.

      One can also pass the username via the HTTP GET method described in the 4.5 Server integration guide. I tested it and it works...

      Hope this helps... I know it's not the most elegant solution in the world, but until someone answers the forums on how to get to the admin interface, this was what I had to do to get this up and running so not every Tom Dick and Harry could start presentations on my server.

       
    • Greg S
      Greg S
      2008-12-11

      Answered my own question

      I uncommented:

      ## start_meeting_user_email=admin

      in dimdim.properties and changed it to:

      start_meeting_user_email=

      That kept the field from auto-populating...

       
      • alex_ct
        alex_ct
        2008-12-11

        Hi!

        Followed your instructions and everything works fine. Thank you! Now I can finally start testing DimDim.

        Regards
        Alex

         
    • Curt
      Curt
      2008-12-11

      Nice job!  I now can leave DimDim turned on!

       
    • This worked great for me!  I actually changed "Username" to "Passcode" as it doesn't have to be an email address.  Any text can be used, so you can supply a secure password instead of a possibly known email address.  Just make sure it's in the (unfortunately plaintext) dimdimPresenters.txt file.

       
    • I also unhid the Display Name so it can be customized.  One downside of using the email as a password is that it is not case sensitive.  It does allow for special characters however.

       
    • Andrew Wilson
      Andrew Wilson
      2009-02-01

      Oh dear have you tried the following (well this happens for me....), after setting an Email address or whatever in dimdimAdmins.txt, etc.

      Start a session.  Let people join that session, then once the meeting is underway, your guests can very simply click on the "Dimdim Web Meeting" white text line on the top left of their main window and start the debugging console (in IE-7 at least). This will reveal that secret password or Email address.  Not so secure.  I suspect this was a built-in function when 4.5 was being setup.

      I will get around this but wanted to let you guys know...

      Andy.

       
      • Andy-

        Thanks for letting us know.  I've forwarded your post over to the engineering team.  I know they're often on these forums, but sent an email to make sure they see this.

        Thanks again!

        -k
        Kevin Micalizzi, Community Manager
        Dimdim Web Conferencing / http://www.dimdim.com
        e: kevin@dimdim.com / twitter: @meetdimdim
        Facebook: http://dimdim.com/facebook

         
      • tin htun aung
        tin htun aung
        2009-02-03

        Hi Andy,

        I also noticed it. The only way work around is you need to rebuild it.
        There's a click listener on the "Dimdim Web Meeting" title, which will pop up the debug panel.
        Check out this file

        "Dimdim_v4.5_SourceCode\v4.1\WebApps\ConsoleII\src\com\dimdim\conference\ui\layout2\client\NewTopPanel.java"

        For me, I just remove the line "logoTextLabel.addClickListener(DebugPanel.getDebugPanel());" and rebuild.

        If you guys see any other things like this, pls ring the bell.

        Cheers,

        ko_aung

         
    • Andrew Wilson
      Andrew Wilson
      2009-02-03

      Thanks for the reply ko_aung, unfortunately I am using the VMWare image so haven't built it.  Just wondered if there is a way of turning off the de-bug console option but as you say, it's java compiled so I suspect there is no way without an updated image.

      Andy

       
    • will it be enough to just find the class file, decompile, edit, then recompile to cover this security hole? Or do I have to recompile the entire dimdim package?

       
    • Andrew Wilson
      Andrew Wilson
      2009-02-06

      Have you ever tried this?  I mean when a java file is de-compiled, I thought we lost all the comments and variable lists, etc.?  So I wouldn't have a clue which lines to take out. Perhaps digging out the source files will give us a clue.  I'm definitely no expert with Java though!   Ideas anyone? 

      Perhaps for goodwill, the Dimdim authors could simply provide an updated pre-compiled java file for us? 

      Andy