Secure Offmeet Web

Hi all, I have installed and configured Openfire 4.0.2 with Openfire meetings plugin version 0.3.15 and i also integrated it with AD, after creating focus user in AD etc…

Everything is working fine and I wanted to thank you all that had contributed on making this great piece of software possible.

That said I found some issues that I would like to solve. But i will need some help from you.

Issues are:

1.- I want to avoid anonymous users to be able to create meeting rooms.

( Maybe this is already implemented since seems like an old issue )

2.- When i get prompted about user/password on ofmeet web interface if i give openfire admin user but a wrong password then i am granted access to the site. (this seems to me like a great security issue)

But I can’t find how to do that could you please lend me a hand on this?

Thanks in advance.

Q1 Change the room creation permissions in OF using admin web page


Q2 Are you sure that you are not reusing the cached credentials. Close the browser session completely including the icon on the system tray and try a new login.

Hi Dele, thanks for your kind and fast answer.

First issue (Q1) is now solved thanks for the tip.

And about (Q2) You must be right since I tested in a different PC to login, one that I’ve never used before and It worked as expected.

So thanks a lot.

Problem solved

I whould like to ask just one more thing if you dont mind

Are you aware of any development for a firefox ofmeet plugin? If so could you give me the link?

If there is no plugin… could it be easy to implement one using crhome plugin?

I would love to help developing one plugin for Firefox since its my default web browser and most people in the world too

Hi Dele, after some more testing I found this…

When login in a new PC the behavior is fine as i told you before.

But when login in a PC where the admin has already been loged previously (even if I close the session and close the systray icon) a person can get access to the website only knowing the username since once i get asked for user password puting there the admin user and a wrong password im allowed access to the webpage and even to create any room i want (since this user has room creation privileges).

Maybe It’s something I’m doing wrong? or is it a bug?


I have done some some tests and reproduced your described behaviour. From what I have read so far, the last successful credentials are cached and reused by the chrome web browser ignoring whatever you put in the password field. Restarting chrome does not make a difference.

I am still trying to find out how to reset the cache.

Hi Dele. Thanks for taking time to test it. Seems to me like a big security issue dont know why chrome keeps caching user credentials if I havent been asked to save them.

Firefox is far more secure browser could you give me some info on a plugin for Firefox? Is there any plugin out there I can use? or any development started that I can help with?

I found it!!!

It was a bug in my code. Expect a fix in version 0.3.20. Thanks so much for discovering this security hole.

Nice!! Thanks for taking time to fix it. Glad to help, actually I whould love to contribute much more