Package org.jivesoftware.openfire.net
Class SASLAuthentication
java.lang.Object
org.jivesoftware.openfire.net.SASLAuthentication
SASLAuthentication is responsible for returning the available SASL mechanisms to use and for
actually performing the SASL authentication.
The list of available SASL mechanisms is determined by:
- The type of
UserProvider
being used since some SASL mechanisms require the server to be able to retrieve user passwords - Whether anonymous logins are enabled or not.
- Whether shared secret authentication is enabled or not.
- Whether the underlying connection has been secured or not.
- Author:
- Hao Chen, Gaston Dombiak
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic enum
static enum
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final SystemProperty<List<String>>
static final SystemProperty<Boolean>
Require the peer to provide an authorization identity through SASL (typically in the Initial Response) when authenticating an inbound S2S connection that uses the EXTERNAL SASL mechanism.static final SystemProperty<Boolean>
Send an authorization identity in the Initial Response when attempting to authenticate using the SASL EXTERNAL mechanism with a remote XMPP domain.static final SystemProperty<Boolean>
static final SystemProperty<String>
static final String
Java's SaslServer does not allow for null values.static final SystemProperty<Boolean>
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic void
addSupportedMechanism
(String mechanismName) Adds a new SASL mechanism to the list of supported SASL mechanisms by the server.Returns a collection of SASL mechanism names that forms the source pool from which the mechanisms that are eventually being offered to peers are obtained.Returns a collection of mechanism names for which the JVM has an implementation available.static org.dom4j.Element
getSASLMechanisms
(LocalSession session) Returns an XML element with the valid SASL mechanisms available for the specified session.static org.dom4j.Element
getSASLMechanismsElement
(ClientSession session) static org.dom4j.Element
Returns the list of supported SASL mechanisms by the server.static SASLAuthentication.Status
handle
(LocalSession session, org.dom4j.Element doc) Handles the SASL authentication packet.static void
removeSupportedMechanism
(String mechanismName) Removes a SASL mechanism from the list of supported SASL mechanisms by the server.static void
setEnabledMechanisms
(List<String> mechanisms) Sets the collection of mechanism names that the system administrator allows to be used.static boolean
verifyCertificate
(X509Certificate trustedCert, String hostname) static boolean
verifyCertificates
(Certificate[] chain, String hostname, boolean isS2S)
-
Field Details
-
REALM
-
APPROVED_REALMS
-
PROXY_AUTH
-
SKIP_PEER_CERT_REVALIDATION_CLIENT
-
EXTERNAL_S2S_REQUIRE_AUTHZID
Require the peer to provide an authorization identity through SASL (typically in the Initial Response) when authenticating an inbound S2S connection that uses the EXTERNAL SASL mechanism. This is not required by the XMPP protocol specification, but it was required by Openfire versions prior to release 4.8.0. This configuration option is added to allow for backwards compatibility. -
EXTERNAL_S2S_SKIP_SENDING_AUTHZID
Send an authorization identity in the Initial Response when attempting to authenticate using the SASL EXTERNAL mechanism with a remote XMPP domain. Sending the authzid in this manner is not required by the XMPP protocol specification, but is recommended in XEP-0178 for compatibility with older server implementations. -
SASL_LAST_RESPONSE_WAS_PROVIDED_BUT_EMPTY
Java's SaslServer does not allow for null values. This makes it hard to distinguish between an empty (initial) responses (represented in XMPP as a single equals sign character '=', as per RFC-6120 section 6.4.2), and a missing/absent response. This can be problematic when a SASL mechanism implementation is to act differently on each scenario (like the EXTERNAL mechanism, that is to challenge for an authzid when no initial response is provided, but which is to use the stream's 'from' attribute value when the initial response is empty). To work around this shortcoming in Java's SASL implementation, this class will add a session attribute using a key that has the name of this constant's value when it detects a Sasl response that is present, but empty.
-
-
Constructor Details
-
SASLAuthentication
public SASLAuthentication()
-
-
Method Details
-
getSASLMechanisms
Returns an XML element with the valid SASL mechanisms available for the specified session. If the session's connection is not secured then only include the SASL mechanisms that don't require TLS.- Parameters:
session
- The current session- Returns:
- The valid SASL mechanisms available for the specified session.
-
getSASLMechanismsElement
-
getSASLMechanismsElement
-
handle
Handles the SASL authentication packet. The entity may be sending an initial authentication request or a response to a challenge made by the server. The returned value indicates whether the authentication has finished either successfully or not or if the entity is expected to send a response to a challenge.- Parameters:
session
- the session that is authenticating with the server.doc
- the stanza sent by the authenticating entity.- Returns:
- value that indicates whether the authentication has finished either successfully or not or if the entity is expected to send a response to a challenge.
-
verifyCertificate
-
verifyCertificates
-
addSupportedMechanism
Adds a new SASL mechanism to the list of supported SASL mechanisms by the server. The new mechanism will be offered to clients and connection managers as stream features.Note: this method simply registers the SASL mechanism to be advertised as a supported mechanism by Openfire. Actual SASL handling is done by Java itself, so you must add the provider to Java.
- Parameters:
mechanismName
- the name of the new SASL mechanism (cannot be null or an empty String).
-
removeSupportedMechanism
Removes a SASL mechanism from the list of supported SASL mechanisms by the server.- Parameters:
mechanismName
- the name of the SASL mechanism to remove (cannot be null or empty, not case sensitive).
-
getSupportedMechanisms
Returns the list of supported SASL mechanisms by the server. Note that Java may have support for more mechanisms but some of them may not be returned since a special setup is required that might be missing. UseaddSupportedMechanism(String)
to add new SASL mechanisms.- Returns:
- the list of supported SASL mechanisms by the server.
-
getImplementedMechanisms
Returns a collection of mechanism names for which the JVM has an implementation available.Note that this need not (and likely will not) correspond with the list of mechanisms that is offered to XMPP peer entities, which is provided by #getSupportedMechanisms.
- Returns:
- a collection of SASL mechanism names (never null, possibly empty)
-
getEnabledMechanisms
Returns a collection of SASL mechanism names that forms the source pool from which the mechanisms that are eventually being offered to peers are obtained. When a mechanism is not returned by this method, it will never be offered, but when a mechanism is returned by this method, there is no guarantee that it will be offered. Apart from being returned in this method, an implementation must be available (seegetImplementedMechanisms()
and configuration or other characteristics of this server must not prevent a particular mechanism from being used (see @{linkgetSupportedMechanisms()
}.- Returns:
- A collection of mechanisms that are considered for use in this instance of Openfire.
-
setEnabledMechanisms
Sets the collection of mechanism names that the system administrator allows to be used.- Parameters:
mechanisms
- A collection of mechanisms that are considered for use in this instance of Openfire. Null to reset the default setting.- See Also:
-