Package org.jivesoftware.openfire.net

Class SASLAuthentication

  • public class SASLAuthentication
extends Object
    SASLAuthentication is responsible for returning the available SASL mechanisms to use and for actually performing the SASL authentication.

    The list of available SASL mechanisms is determined by:

    1. The type of UserProvider being used since some SASL mechanisms require the server to be able to retrieve user passwords
    2. Whether anonymous logins are enabled or not.
    3. Whether shared secret authentication is enabled or not.
    4. Whether the underlying connection has been secured or not.
    Author:
    Hao Chen, Gaston Dombiak

    • Field Detail

      • SKIP_PEER_CERT_REVALIDATION_CLIENT

        public static final SystemProperty<Boolean> SKIP_PEER_CERT_REVALIDATION_CLIENT

      • EXTERNAL_S2S_REQUIRE_AUTHZID

        public static final SystemProperty<Boolean> EXTERNAL_S2S_REQUIRE_AUTHZID
        Require the peer to provide an authorization identity through SASL (typically in the Initial Response) when authenticating an inbound S2S connection that uses the EXTERNAL SASL mechanism. This is not required by the XMPP protocol specification, but it was required by Openfire versions prior to release 4.8.0. This configuration option is added to allow for backwards compatibility.

      • EXTERNAL_S2S_SKIP_SENDING_AUTHZID

        public static final SystemProperty<Boolean> EXTERNAL_S2S_SKIP_SENDING_AUTHZID
        Send an authorization identity in the Initial Response when attempting to authenticate using the SASL EXTERNAL mechanism with a remote XMPP domain. Sending the authzid in this manner is not required by the XMPP protocol specification, but is recommended in XEP-0178 for compatibility with older server implementations.
        See Also:
        XEP-0178: Best Practices for Use of SASL EXTERNAL with Certificates

      • SASL_LAST_RESPONSE_WAS_PROVIDED_BUT_EMPTY

        public static final String SASL_LAST_RESPONSE_WAS_PROVIDED_BUT_EMPTY
        Java's SaslServer does not allow for null values. This makes it hard to distinguish between an empty (initial) responses (represented in XMPP as a single equals sign character '=', as per RFC-6120 section 6.4.2), and a missing/absent response. This can be problematic when a SASL mechanism implemention is to act differently on each scenario (like the EXTERNAL mechanism, that is to challenge for an authzid when no initial response is provided, but which is to use the stream's 'from' attribute value when the initial response is empty). To work around this shortcoming in Java's SASL implementation, this class will add a session attribute using a key that has the name of this constant's value when it detects a Sasl response that is present, but empty.
        See Also:
        OF-2514: Differentiate between missing and empty initial SASL response, Constant Field Values

    • Constructor Detail

      • SASLAuthentication

        public SASLAuthentication()

    • Method Detail

      • getSASLMechanisms

        public static org.dom4j.Element getSASLMechanisms​(LocalSession session)
        Returns an XML element with the valid SASL mechanisms available for the specified session. If the session's connection is not secured then only include the SASL mechanisms that don't require TLS.
        Parameters:
        session - The current session
        Returns:
        The valid SASL mechanisms available for the specified session.

      • getSASLMechanismsElement

        public static org.dom4j.Element getSASLMechanismsElement​(ClientSession session)

      • handle

        public static SASLAuthentication.Status handle​(LocalSession session,
                                               org.dom4j.Element doc)
        Handles the SASL authentication packet. The entity may be sending an initial authentication request or a response to a challenge made by the server. The returned value indicates whether the authentication has finished either successfully or not or if the entity is expected to send a response to a challenge.
        Parameters:
        session - the session that is authenticating with the server.
        doc - the stanza sent by the authenticating entity.
        Returns:
        value that indicates whether the authentication has finished either successfully or not or if the entity is expected to send a response to a challenge.

      • verifyCertificate

        public static boolean verifyCertificate​(X509Certificate trustedCert,
                                        String hostname)

      • verifyCertificates

        public static boolean verifyCertificates​(Certificate[] chain,
                                         String hostname,
                                         boolean isS2S)

      • addSupportedMechanism

        public static void addSupportedMechanism​(String mechanismName)
        Adds a new SASL mechanism to the list of supported SASL mechanisms by the server. The new mechanism will be offered to clients and connection managers as stream features.

        Note: this method simply registers the SASL mechanism to be advertised as a supported mechanism by Openfire. Actual SASL handling is done by Java itself, so you must add the provider to Java.

        Parameters:
        mechanismName - the name of the new SASL mechanism (cannot be null or an empty String).

      • removeSupportedMechanism

        public static void removeSupportedMechanism​(String mechanismName)
        Removes a SASL mechanism from the list of supported SASL mechanisms by the server.
        Parameters:
        mechanismName - the name of the SASL mechanism to remove (cannot be null or empty, not case sensitive).

      • getSupportedMechanisms

        public static Set<String> getSupportedMechanisms()
        Returns the list of supported SASL mechanisms by the server. Note that Java may have support for more mechanisms but some of them may not be returned since a special setup is required that might be missing. Use addSupportedMechanism(String) to add new SASL mechanisms.
        Returns:
        the list of supported SASL mechanisms by the server.

      • getImplementedMechanisms

        public static Set<String> getImplementedMechanisms()
        Returns a collection of mechanism names for which the JVM has an implementation available.

        Note that this need not (and likely will not) correspond with the list of mechanisms that is offered to XMPP peer entities, which is provided by #getSupportedMechanisms.

        Returns:
        a collection of SASL mechanism names (never null, possibly empty)

      • getEnabledMechanisms

        public static List<String> getEnabledMechanisms()
        Returns a collection of SASL mechanism names that forms the source pool from which the mechanisms that are eventually being offered to peers are obtained. When a mechanism is not returned by this method, it will never be offered, but when a mechanism is returned by this method, there is no guarantee that it will be offered. Apart from being returned in this method, an implementation must be available (see getImplementedMechanisms() and configuration or other characteristics of this server must not prevent a particular mechanism from being used (see @{link getSupportedMechanisms()}.
        Returns:
        A collection of mechanisms that are considered for use in this instance of Openfire.

      • setEnabledMechanisms

        public static void setEnabledMechanisms​(List<String> mechanisms)
        Sets the collection of mechanism names that the system administrator allows to be used.
        Parameters:
        mechanisms - A collection of mechanisms that are considered for use in this instance of Openfire. Null to reset the default setting.
        See Also:
        getEnabledMechanisms()