Package org.jivesoftware.openfire.net
Class SASLAuthentication
- java.lang.Object
-
- org.jivesoftware.openfire.net.SASLAuthentication
-
public class SASLAuthentication extends Object
SASLAuthentication is responsible for returning the available SASL mechanisms to use and for actually performing the SASL authentication.The list of available SASL mechanisms is determined by:
- The type of
UserProvider
being used since some SASL mechanisms require the server to be able to retrieve user passwords - Whether anonymous logins are enabled or not.
- Whether shared secret authentication is enabled or not.
- Whether the underlying connection has been secured or not.
- Author:
- Hao Chen, Gaston Dombiak
- The type of
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SASLAuthentication.ElementType
static class
SASLAuthentication.Status
-
Field Summary
Fields Modifier and Type Field Description static SystemProperty<List<String>>
APPROVED_REALMS
static SystemProperty<Boolean>
EXTERNAL_S2S_REQUIRE_AUTHZID
Require the peer to provide an authorization identity through SASL (typically in the Initial Response) when authenticating an inbound S2S connection that uses the EXTERNAL SASL mechanism.static SystemProperty<Boolean>
EXTERNAL_S2S_SKIP_SENDING_AUTHZID
Send an authorization identity in the Initial Response when attempting to authenticate using the SASL EXTERNAL mechanism with a remote XMPP domain.static SystemProperty<Boolean>
PROXY_AUTH
static SystemProperty<String>
REALM
static String
SASL_LAST_RESPONSE_WAS_PROVIDED_BUT_EMPTY
Java's SaslServer does not allow for null values.static SystemProperty<Boolean>
SKIP_PEER_CERT_REVALIDATION_CLIENT
-
Constructor Summary
Constructors Constructor Description SASLAuthentication()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static void
addSupportedMechanism(String mechanismName)
Adds a new SASL mechanism to the list of supported SASL mechanisms by the server.static List<String>
getEnabledMechanisms()
Returns a collection of SASL mechanism names that forms the source pool from which the mechanisms that are eventually being offered to peers are obtained.static Set<String>
getImplementedMechanisms()
Returns a collection of mechanism names for which the JVM has an implementation available.static org.dom4j.Element
getSASLMechanisms(LocalSession session)
Returns an XML element with the valid SASL mechanisms available for the specified session.static org.dom4j.Element
getSASLMechanismsElement(ClientSession session)
static org.dom4j.Element
getSASLMechanismsElement(LocalIncomingServerSession session)
static Set<String>
getSupportedMechanisms()
Returns the list of supported SASL mechanisms by the server.static SASLAuthentication.Status
handle(LocalSession session, org.dom4j.Element doc)
Handles the SASL authentication packet.static void
removeSupportedMechanism(String mechanismName)
Removes a SASL mechanism from the list of supported SASL mechanisms by the server.static void
setEnabledMechanisms(List<String> mechanisms)
Sets the collection of mechanism names that the system administrator allows to be used.static boolean
verifyCertificate(X509Certificate trustedCert, String hostname)
static boolean
verifyCertificates(Certificate[] chain, String hostname, boolean isS2S)
-
-
-
Field Detail
-
REALM
public static final SystemProperty<String> REALM
-
APPROVED_REALMS
public static final SystemProperty<List<String>> APPROVED_REALMS
-
PROXY_AUTH
public static final SystemProperty<Boolean> PROXY_AUTH
-
SKIP_PEER_CERT_REVALIDATION_CLIENT
public static final SystemProperty<Boolean> SKIP_PEER_CERT_REVALIDATION_CLIENT
-
EXTERNAL_S2S_REQUIRE_AUTHZID
public static final SystemProperty<Boolean> EXTERNAL_S2S_REQUIRE_AUTHZID
Require the peer to provide an authorization identity through SASL (typically in the Initial Response) when authenticating an inbound S2S connection that uses the EXTERNAL SASL mechanism. This is not required by the XMPP protocol specification, but it was required by Openfire versions prior to release 4.8.0. This configuration option is added to allow for backwards compatibility.
-
EXTERNAL_S2S_SKIP_SENDING_AUTHZID
public static final SystemProperty<Boolean> EXTERNAL_S2S_SKIP_SENDING_AUTHZID
Send an authorization identity in the Initial Response when attempting to authenticate using the SASL EXTERNAL mechanism with a remote XMPP domain. Sending the authzid in this manner is not required by the XMPP protocol specification, but is recommended in XEP-0178 for compatibility with older server implementations.
-
SASL_LAST_RESPONSE_WAS_PROVIDED_BUT_EMPTY
public static final String SASL_LAST_RESPONSE_WAS_PROVIDED_BUT_EMPTY
Java's SaslServer does not allow for null values. This makes it hard to distinguish between an empty (initial) responses (represented in XMPP as a single equals sign character '=', as per RFC-6120 section 6.4.2), and a missing/absent response. This can be problematic when a SASL mechanism implemention is to act differently on each scenario (like the EXTERNAL mechanism, that is to challenge for an authzid when no initial response is provided, but which is to use the stream's 'from' attribute value when the initial response is empty). To work around this shortcoming in Java's SASL implementation, this class will add a session attribute using a key that has the name of this constant's value when it detects a Sasl response that is present, but empty.
-
-
Method Detail
-
getSASLMechanisms
public static org.dom4j.Element getSASLMechanisms(LocalSession session)
Returns an XML element with the valid SASL mechanisms available for the specified session. If the session's connection is not secured then only include the SASL mechanisms that don't require TLS.- Parameters:
session
- The current session- Returns:
- The valid SASL mechanisms available for the specified session.
-
getSASLMechanismsElement
public static org.dom4j.Element getSASLMechanismsElement(ClientSession session)
-
getSASLMechanismsElement
public static org.dom4j.Element getSASLMechanismsElement(LocalIncomingServerSession session)
-
handle
public static SASLAuthentication.Status handle(LocalSession session, org.dom4j.Element doc)
Handles the SASL authentication packet. The entity may be sending an initial authentication request or a response to a challenge made by the server. The returned value indicates whether the authentication has finished either successfully or not or if the entity is expected to send a response to a challenge.- Parameters:
session
- the session that is authenticating with the server.doc
- the stanza sent by the authenticating entity.- Returns:
- value that indicates whether the authentication has finished either successfully or not or if the entity is expected to send a response to a challenge.
-
verifyCertificate
public static boolean verifyCertificate(X509Certificate trustedCert, String hostname)
-
verifyCertificates
public static boolean verifyCertificates(Certificate[] chain, String hostname, boolean isS2S)
-
addSupportedMechanism
public static void addSupportedMechanism(String mechanismName)
Adds a new SASL mechanism to the list of supported SASL mechanisms by the server. The new mechanism will be offered to clients and connection managers as stream features.Note: this method simply registers the SASL mechanism to be advertised as a supported mechanism by Openfire. Actual SASL handling is done by Java itself, so you must add the provider to Java.
- Parameters:
mechanismName
- the name of the new SASL mechanism (cannot be null or an empty String).
-
removeSupportedMechanism
public static void removeSupportedMechanism(String mechanismName)
Removes a SASL mechanism from the list of supported SASL mechanisms by the server.- Parameters:
mechanismName
- the name of the SASL mechanism to remove (cannot be null or empty, not case sensitive).
-
getSupportedMechanisms
public static Set<String> getSupportedMechanisms()
Returns the list of supported SASL mechanisms by the server. Note that Java may have support for more mechanisms but some of them may not be returned since a special setup is required that might be missing. UseaddSupportedMechanism(String)
to add new SASL mechanisms.- Returns:
- the list of supported SASL mechanisms by the server.
-
getImplementedMechanisms
public static Set<String> getImplementedMechanisms()
Returns a collection of mechanism names for which the JVM has an implementation available.Note that this need not (and likely will not) correspond with the list of mechanisms that is offered to XMPP peer entities, which is provided by #getSupportedMechanisms.
- Returns:
- a collection of SASL mechanism names (never null, possibly empty)
-
getEnabledMechanisms
public static List<String> getEnabledMechanisms()
Returns a collection of SASL mechanism names that forms the source pool from which the mechanisms that are eventually being offered to peers are obtained. When a mechanism is not returned by this method, it will never be offered, but when a mechanism is returned by this method, there is no guarantee that it will be offered. Apart from being returned in this method, an implementation must be available (seegetImplementedMechanisms()
and configuration or other characteristics of this server must not prevent a particular mechanism from being used (see @{linkgetSupportedMechanisms()
}.- Returns:
- A collection of mechanisms that are considered for use in this instance of Openfire.
-
setEnabledMechanisms
public static void setEnabledMechanisms(List<String> mechanisms)
Sets the collection of mechanism names that the system administrator allows to be used.- Parameters:
mechanisms
- A collection of mechanisms that are considered for use in this instance of Openfire. Null to reset the default setting.- See Also:
getEnabledMechanisms()
-
-