Page 1 of 1
Token in Webservice
PostPosted:Mon Jun 15, 2015 11:01 am
by OKMGuy
Hello OKM-Team!
I'm having a really strange problem!
When i execute the following code: (Im using the SDK for .Net but i get the same results using the "...services/OKMAuth?wsdl" as ServiceReference directly)
Code: Select allOKMAuth Auth = new OKMAuth("http://localhost:8080/OpenKM");
string[] roles =Auth.getUsers("*here is a valid Token*");
i get, as expected, all users.
Now the strange part is, when i execute the code without a token, i STILL get all the users!?
How is this even possible?
Code: Select allOKMAuth Auth = new OKMAuth("http://localhost:8080/OpenKM");
string[] roles =Auth.getUsers("asdfjklö");
This code returns all the users, even thought the token is complete nonsense?!
Re: Token in Webservice
PostPosted:Tue Jun 16, 2015 2:44 pm
by jllort
Which is your openkm version ?
Re: Token in Webservice
PostPosted:Wed Jun 17, 2015 2:49 pm
by OKMGuy
We are using
OpenKM 6.3.1 Build 8185
Re: Token in Webservice
PostPosted:Thu Jun 18, 2015 2:50 pm
by jllort
Can you please share minimal code ( only to reproduce the error ) and I will check it.
In your case you should use something like:
Code: Select allOKMWebservice webservice = OKMWebServiceFactory.getInstance("http://192.168.1.34:8180/OpenKM", "okmAdmin", "admin", OKMWebServiceFactory.WS_1_0);
getUsers("/okm:root");
// or getUsers("token here", "/okm:root");
Re: Token in Webservice
PostPosted:Fri Jun 19, 2015 11:14 am
by OKMGuy
i'm using C# with the .Net SDK for OpenKM
Code: Select allusing com.openkm.ws;
public static void Main()
{
OKMWebservice webservice = OKMWebServiceFactory.getInstance
("http://localhost:8080/OpenKM", "okmAdmin", "xxxx", OKMWebServiceFactory.COMMUNITY_6_0);
string[] users= webservice.getUsers("nonsense","/okm:root");
}
even without a valid token(i used "nonsense" as token) i get all users!
But i want no results without a valid token, since that's what a token is for... isn't it?
Re: Token in Webservice
PostPosted:Tue Jun 23, 2015 9:51 am
by jllort
You should use OKMWebServiceFactory.WS_1_0 not OKMWebServiceFactory.COMMUNITY_6_0
Anyway I think there's a bug on Auth module that's is not taking on consideration the token.
Re: Token in Webservice
PostPosted:Wed Jun 24, 2015 6:54 am
by OKMGuy
Thank you for looking into this!
When can we expect this bug to be fixed?
And do you think this is a security issue for our OpenKM System?
Re: Token in Webservice
PostPosted:Fri Jun 26, 2015 7:02 am
by jllort
The bug only affect few methods getRoles, getUsers, getUsersByRole, getRolesByUser, getMail, getName and all are readonly. I think this information can not be used to exploit the system.
Re: Token in Webservice
PostPosted:Sun Jun 28, 2015 8:48 am
by pavila
It's fixed in last night build. Please, try and verify.
Re: Token in Webservice
PostPosted:Mon Jul 06, 2015 7:58 am
by OKMGuy
sorry for the late reply!
Does this fix also apply to the Community Edition or only Professional?
Where can i find the nightly builds to download?
Re: Token in Webservice
PostPosted:Mon Jul 06, 2015 8:33 am
by pavila
It's fixed in Community and Professional.
You can download last night build from
http://integration.openkm.com/6.3/
Regards.
Re: Token in Webservice
PostPosted:Mon Jul 27, 2015 11:47 am
by OKMGuy
I tested the methods getRoles, getUsers, getUsersByRole, getRolesByUser, getMail, getName. They all need now a valid token to work, you can no longer access any information without a valid token.
Thank you for fixing this so fast!