Merge pull request bigbluebutton#6513 from antobinary/401-work

BBB-web: add allowRequestsWithoutSession=false to handle missing cookie
ritzalam · Jan 8, 2019 · fee2463 · fee2463
2 parents bb6fbdf + 47dffd5
commit fee2463
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 7 deletions.
diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/ParamsProcessorUtil.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/ParamsProcessorUtil.java
@@ -80,6 +80,7 @@ public class ParamsProcessorUtil {
     private String html5ClientUrl;
     private Boolean moderatorsJoinViaHTML5Client;
     private Boolean attendeesJoinViaHTML5Client;
+    private Boolean allowRequestsWithoutSession;
     private String defaultAvatarURL;
     private String defaultConfigURL;
     private String defaultGuestPolicy;
@@ -421,6 +422,10 @@ public Boolean getModeratorsJoinViaHTML5Client() {
 		return moderatorsJoinViaHTML5Client;
 	}
 
+	public Boolean getAllowRequestsWithoutSession() {
+		return allowRequestsWithoutSession;
+	}
+
 	public String getDefaultConfigXML() {
 		defaultConfigXML = getConfig(defaultConfigURL);
 
@@ -775,6 +780,10 @@ public void setModeratorsJoinViaHTML5Client(Boolean moderatorsJoinViaHTML5Client
 		this.moderatorsJoinViaHTML5Client = moderatorsJoinViaHTML5Client;
 	}
 
+	public void setAllowRequestsWithoutSession(Boolean allowRequestsWithoutSession) {
+		this.allowRequestsWithoutSession = allowRequestsWithoutSession;
+	}
+
 	public void setAttendeesJoinViaHTML5Client(Boolean attendeesJoinViaHTML5Client) {
 		this.attendeesJoinViaHTML5Client = attendeesJoinViaHTML5Client;
 	}

diff --git a/bigbluebutton-web/grails-app/conf/bigbluebutton.properties b/bigbluebutton-web/grails-app/conf/bigbluebutton.properties
@@ -200,6 +200,9 @@ bigbluebutton.web.logoutURL=default
 # successfully joining the meeting.
 defaultClientUrl=${bigbluebutton.web.serverURL}/client/BigBlueButton.html
 
+# Allow requests without JSESSIONID to be handled (default = false)
+allowRequestsWithoutSession=false
+
 # Force all attendees to join the meeting using the HTML5 client
 attendeesJoinViaHTML5Client=false
 

diff --git a/bigbluebutton-web/grails-app/conf/spring/resources.xml b/bigbluebutton-web/grails-app/conf/spring/resources.xml
@@ -109,6 +109,7 @@ with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
         <property name="defaultClientUrl" value="${defaultClientUrl}"/>
         <property name="defaultGuestWaitURL" value="${defaultGuestWaitURL}"/>
         <property name="html5ClientUrl" value="${html5ClientUrl}"/>
+        <property name="allowRequestsWithoutSession" value="${allowRequestsWithoutSession}"/>
         <property name="moderatorsJoinViaHTML5Client" value="${moderatorsJoinViaHTML5Client}"/>
         <property name="attendeesJoinViaHTML5Client" value="${attendeesJoinViaHTML5Client}"/>
         <property name="defaultMeetingDuration" value="${defaultMeetingDuration}"/>

diff --git a/...ebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy b/...ebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
@@ -1419,10 +1419,15 @@ class ApiController {
     Meeting meeting = null;
     UserSession userSession = null;
 
+    Boolean allowEnterWithoutSession = false;
+    // Depending on configuration, allow ENTER requests to proceed without session
+    if (paramsProcessorUtil.getAllowRequestsWithoutSession()) {
+      allowEnterWithoutSession = paramsProcessorUtil.getAllowRequestsWithoutSession();
+    }
+
     String respMessage = "Session " + sessionToken + " not found."
-    if (!session[sessionToken]) {
-      reject = true;
-    } else if (meetingService.getUserSessionWithAuthToken(sessionToken) == null) {
+
+    if (meetingService.getUserSessionWithAuthToken(sessionToken) == null || (!allowEnterWithoutSession && !session[sessionToken])) {
       reject = true;
       respMessage = "Session " + sessionToken + " not found."
     } else {
@@ -1562,11 +1567,15 @@ class ApiController {
       println("Session token = [" + sessionToken + "]")
     }
 
-    if (!session[sessionToken]) {
-      reject = true;
-    } else if (meetingService.getUserSessionWithAuthToken(sessionToken) == null)
+    Boolean allowStunsWithoutSession = false;
+    // Depending on configuration, allow STUNS requests to proceed without session
+    if (paramsProcessorUtil.getAllowRequestsWithoutSession()) {
+      allowStunsWithoutSession = paramsProcessorUtil.getAllowRequestsWithoutSession();
+    }
+
+    if (meetingService.getUserSessionWithAuthToken(sessionToken) == null || (!allowStunsWithoutSession && !session[sessionToken])) {
       reject = true;
-    else {
+    } else {
       us = meetingService.getUserSessionWithAuthToken(sessionToken);
       meeting = meetingService.getMeeting(us.meetingID);
       if (meeting == null || meeting.isForciblyEnded()) {