XML Post not working on 5.01

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2013-06-15 18:16, Kevin Cernekee wrote:
> On Thu, Jun 13, 2013 at 12:14 PM, Joel Johnson <mrjoel at lixil.net> 
> wrote:
> For the XML POST processing, it looks like it's not properly (fully?)
> processing the --authgroup parameter to use the selected group (as long 
> as
> it's returned in the list as being available). Instead of blindly using 
> the
> tunnel-group and group-alias offered initially, it should use what is
> specified. I'm not familiar with the details and differences between 
> the
> <group-select> and <tunnel-group>, but this looks quite suspicious.
> 
> <tunnel-group> and <group-alias> are in the <opaque> section.  I'm not
> sure it's such a good idea for the client to change anything in there.
> The Cisco client seems to leave it alone.
> 
> What I see when I feed your server responses to the official
> AnyConnect client is that when the user selects e.g. GROUPC_VPN from
> the dropdown, the Cisco client sends a "change group" message to the
> server:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init">
> <version who="vpn">3.1.00495</version>
> <device-id>linux</device-id>
> <group-select>GROUPC_VPN</group-select>
> </config-auth>
> 
> Then it redraws the login dialog when it gets the response back.  The
> new server response tells the client which group to show as selected.
> 
> I couldn't deduce your server's hostname so I can't tell for sure, but
> my guess is that your server rewrites the <opaque> contents based on
> the newly selected group.  It might also be configurable to send a
> completely different set of form fields for different group
> selections.
> 
> So maybe the <group-select> option only tells the server "send me a
> new form with GROUPC_VPN selected," and if you submit your credentials
> immediately, it takes the group ID from the <opaque> section instead
> of the <group-select> value.  Does this jibe with the behavior you saw
> (i.e. would you see "Login failed" if you tried to log on to
> GROUPA_VPN)?
> 
> One thing that (lib)openconnect could do to work around this is to
> prompt the user for just the group first, then after he hits submit,
> prompt for the remaining form fields (skipping the group dropdown).
> Are you willing to be the guinea pig?

Sure, I'm more than happy to help work the issue. For completeness, yes, 
I would have seen an authentication error connecting to the initial 
server response.

I've been able to confirm what you surmised, that when sending the 
change group message (I'm using using direct connections to get the raw 
responses, not through any client) the new response from the server does 
indeed reflect the modified value in the opaque element. Additionally, 
using GroupC highlights one thing I mentioned in my original email, that 
the friendly name wasn't displayed. With the new response, the 
tunnel-group is the friendly name, and the group-alias is the name 
returned in the options list and used for the group-select. That is a 
bit backwards from what I would expect, using what is called the alias 
as the selection key, but so be it.

One item I found odd in testing to make note of, is that if an invalid 
group-select is specified, no error is indicated, the server response 
just falls back to the default group as being indicated in the opaque 
section.

Sounds like checking the initial response, comparing it to the 
--authgroup value provided (read the opaque section?), and sending a 
group-select if the group-alias doesn't match (and iff the requested 
group is a valid option in the list), and then send the credentials. It 
sounds like what you're proposing, as long as the user isn't prompted 
when --authgroup is specified originally as a command argument (I just 
had to test running it without the argument to see that it does in fact 
prompt currently).

Joel



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux