Package org.jivesoftware.openfire.auth

Class JDBCAuthProvider

java.lang.Object

org.jivesoftware.openfire.auth.JDBCAuthProvider

All Implemented Interfaces:

AuthProvider, PropertyEventListener

public class JDBCAuthProvider
extends Object
implements AuthProvider, PropertyEventListener

The JDBC auth provider allows you to authenticate users against any database that you can connect to with JDBC. It can be used along with the hybrid auth provider, so that you can also have XMPP-only users that won't pollute your external data.

To enable this provider, set the following in the system properties:

• provider.auth.className = org.jivesoftware.openfire.auth.JDBCAuthProvider

You'll also need to set your JDBC driver, connection string, and SQL statements:

• jdbcProvider.driver = com.mysql.jdbc.Driver
• jdbcProvider.connectionString = jdbc:mysql://localhost/dbname?user=username&password=secret
• jdbcAuthProvider.passwordSQL = SELECT password FROM user_account WHERE username=?
• jdbcAuthProvider.passwordType = plain
• jdbcAuthProvider.allowUpdate = true
• jdbcAuthProvider.setPasswordSQL = UPDATE user_account SET password=? WHERE username=?
• jdbcAuthProvider.bcrypt.cost = 12

jdbcAuthProvider.passwordType can accept a comma separated string of password types. This can be useful in situations where legacy (ex/md5) password hashes were stored and then "upgraded" to a stronger hash algorithm. Hashes are executed left to right.

Example Setting: "md5,sha1"
Usage: password ->
(md5) 286755fad04869ca523320acce0dc6a4 ->
(sha1) 0524b1fc84d315b08db890413e65260040b08caa ->

Bcrypt is supported as a passwordType; however, when chaining password types it MUST be the last type given. (bcrypt hashes are different every time they are generated)

Optional bcrypt configuration:

• jdbcAuthProvider.bcrypt.cost: The BCrypt cost. Default: BCrypt.GENSALT_DEFAULT_LOG2_ROUNDS (currently: 10)

In order to use the configured JDBC connection provider do not use a JDBC connection string, set the following property

• jdbcAuthProvider.useConnectionProvider = true

The passwordType setting tells Openfire how the password is stored. Setting the value is optional (when not set, it defaults to "plain"). The valid values are:

• plain
• md5
• sha1
• sha256
• sha512
• bcrypt
• nt

Author:

David Snopek

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	JDBCAuthProvider.PasswordType	Indicates how the password is stored.

Constructor Summary

Constructors

Constructor	Description
JDBCAuthProvider()	Constructs a new JDBC authentication provider.

Method Summary

Modifier and Type	Method	Description
void	authenticate(String username, String password)	Returns if the username and password are valid; otherwise this method throws an UnauthorizedException.
protected boolean	comparePasswords(String plainText, String hashed)
protected void	createUser(String username)	Checks to see if the user exists; if not, a new user is created.
int	getIterations(String username)
String	getPassword(String username)	Returns the user's password.
String	getSalt(String username)
String	getServerKey(String username)
String	getStoredKey(String username)
protected String	hashPassword(String password, JDBCAuthProvider.PasswordType type)
boolean	isScramSupported()
void	propertyDeleted(String property, Map<String,Object> params)	A property was deleted.
void	propertySet(String property, Map<String,Object> params)	Support a subset of JDBCAuthProvider properties when updated via REST, web GUI, or other sources.
void	setPassword(String username, String password)	Sets the users's password.
boolean	supportsPasswordRetrieval()	Returns true if this UserProvider is able to retrieve user passwords from the backend user store.
void	xmlPropertyDeleted(String property, Map<String,Object> params)	An XML property was deleted.
void	xmlPropertySet(String property, Map<String,Object> params)	An XML property was set.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JDBCAuthProvider

public JDBCAuthProvider()

Constructs a new JDBC authentication provider.

Method Detail

authenticate

public void authenticate(String username,
                         String password)
                  throws UnauthorizedException

Description copied from interface: AuthProvider

Returns if the username and password are valid; otherwise this method throws an UnauthorizedException.

Specified by:

authenticate in interface AuthProvider

Parameters:

username - the username or full JID.

password - the password

Throws:

UnauthorizedException - if the username and password do not match any existing user.

comparePasswords

protected boolean comparePasswords(String plainText,
                                   String hashed)

hashPassword

protected String hashPassword(String password,
                              JDBCAuthProvider.PasswordType type)

getPassword

public String getPassword(String username)
                   throws UserNotFoundException,
                          UnsupportedOperationException

Description copied from interface: AuthProvider

Returns the user's password. This method should throw an UnsupportedOperationException if this operation is not supported by the backend user store.

Specified by:

getPassword in interface AuthProvider

Parameters:

username - the username of the user.

Returns:

the user's password.

Throws:

UserNotFoundException - if the given user's password could not be loaded.

UnsupportedOperationException - if the provider does not support the operation (this is an optional operation).

setPassword

public void setPassword(String username,
                        String password)
                 throws UserNotFoundException,
                        UnsupportedOperationException

Description copied from interface: AuthProvider

Sets the users's password. This method should throw an UnsupportedOperationException if this operation is not supported by the backend user store.

Specified by:

setPassword in interface AuthProvider

Parameters:

username - the username of the user.

password - the new plaintext password for the user.

Throws:

UserNotFoundException - if the given user could not be loaded.

UnsupportedOperationException - if the provider does not support the operation (this is an optional operation).

supportsPasswordRetrieval

public boolean supportsPasswordRetrieval()

Description copied from interface: AuthProvider

Returns true if this UserProvider is able to retrieve user passwords from the backend user store. If this operation is not supported then AuthProvider.getPassword(String) will throw an UnsupportedOperationException if invoked.

Specified by:

supportsPasswordRetrieval in interface AuthProvider

Returns:

true if this UserProvider is able to retrieve user passwords from the backend user store.

createUser

protected void createUser(String username)

Checks to see if the user exists; if not, a new user is created.

Parameters:

username - the username.

isScramSupported

public boolean isScramSupported()

Specified by:

isScramSupported in interface AuthProvider

getSalt

public String getSalt(String username)
               throws UnsupportedOperationException,
                      UserNotFoundException

Specified by:

getSalt in interface AuthProvider

Throws:

UnsupportedOperationException

UserNotFoundException

getIterations

public int getIterations(String username)
                  throws UnsupportedOperationException,
                         UserNotFoundException

Specified by:

getIterations in interface AuthProvider

Throws:

UnsupportedOperationException

UserNotFoundException

getServerKey

public String getServerKey(String username)
                    throws UnsupportedOperationException,
                           UserNotFoundException

Specified by:

getServerKey in interface AuthProvider

Throws:

UnsupportedOperationException

UserNotFoundException

getStoredKey

public String getStoredKey(String username)
                    throws UnsupportedOperationException,
                           UserNotFoundException

Specified by:

getStoredKey in interface AuthProvider

Throws:

UnsupportedOperationException

UserNotFoundException

propertySet

public void propertySet(String property,
                        Map<String,Object> params)

Support a subset of JDBCAuthProvider properties when updated via REST, web GUI, or other sources. Provider strings (and related settings) must be set via XML.

Specified by:

propertySet in interface PropertyEventListener

Parameters:

property - the name of the property.

params - event parameters.

propertyDeleted

public void propertyDeleted(String property,
                            Map<String,Object> params)

Description copied from interface: PropertyEventListener

A property was deleted.

Specified by:

propertyDeleted in interface PropertyEventListener

Parameters:

property - the name of the property deleted.

params - event parameters.

xmlPropertySet

public void xmlPropertySet(String property,
                           Map<String,Object> params)

Description copied from interface: PropertyEventListener

An XML property was set. The parameter map params will contain the the value of the property under the key value.

Specified by:

xmlPropertySet in interface PropertyEventListener

Parameters:

property - the name of the property.

params - event parameters.

xmlPropertyDeleted

public void xmlPropertyDeleted(String property,
                               Map<String,Object> params)

Description copied from interface: PropertyEventListener

An XML property was deleted.

Specified by:

xmlPropertyDeleted in interface PropertyEventListener

Parameters:

property - the name of the property.

params - event parameters.