Package org.jivesoftware.openfire.auth

Class AuthorizationManager

  • public class AuthorizationManager
extends Object
    Manages the AuthorizationProvider objects. Overall description of the authentication and authorization process: After a client connects, and indicates a desire to use SASL, the SASLAuthentication object decides which SASL mechanisms to advertise, and then performs the authentication. If authentication is successful, the XMPPCallbackHandler is asked to handle() an AuthorizeCallback. The XMPPCallbackHandler asks the AuthorizationManager to authorize the authentication identity whose password was used (the 'principal) to the requested authorization identity (the username that the user wants to act as). The AuthorizationManager manages a list of AuthorizationProvider classes, and tries them one at a time and returns true with the first AuthorizationProvider that authorizes the authentication identity to the authorization identity. If no classes authorize the authentication identity, false is returned, which traces all the way back to give the client an unauthorized message. It's important to note that the message the client receives will give no indication if the authentiation identity authenticated successfully. You will need to check the server logs for that information.
    Author:
    Jay Kline

    • Method Detail

      • getAuthorizationPolicies

        public static Collection<AuthorizationPolicy> getAuthorizationPolicies()
        Returns the currently-installed AuthorizationProvider. Warning: You should not be calling the AuthorizationProvider directly to perform authorizations, it will not take into account the policy selected in the openfire.xml. Use @see{authorize} in this class, instead.
        Returns:
        the current AuthorizationProvider.

      • authorize

        public static boolean authorize​(String authzid,
                                String authcid)
        Authorize the authenticated username (authcid, principal) to the requested username (authzid). This uses the selected AuthenticationProviders.
        Parameters:
        authzid - authorization identity (identity to act as).
        authcid - authentication identity (identity whose password will be used)
        Returns:
        true if the user is authorized to act as the requested authorization identity.

      • map

        public static String map​(String authcid)
        Map the authenticated username (authcid, principal) to the username to act as (authzid). If the authenticated username did not supply a username to act as, determine the default to use.
        Parameters:
        authcid - authentication identity (identity whose password will be used), for which to determine the username to act as (authzid).
        Returns:
        The username to act as (authzid) for the provided authentication identity.