IQAuthHandler.java 12.1 KB
Newer Older
Matt Tucker's avatar
Matt Tucker committed
1 2 3 4 5
/**
 * $RCSfile$
 * $Revision$
 * $Date$
 *
Matt Tucker's avatar
Matt Tucker committed
6
 * Copyright (C) 2004 Jive Software. All rights reserved.
Matt Tucker's avatar
Matt Tucker committed
7
 *
Matt Tucker's avatar
Matt Tucker committed
8 9
 * This software is published under the terms of the GNU Public License (GPL),
 * a copy of which is included in this distribution.
Matt Tucker's avatar
Matt Tucker committed
10
 */
Matt Tucker's avatar
Matt Tucker committed
11

Matt Tucker's avatar
Matt Tucker committed
12 13
package org.jivesoftware.messenger.handler;

14 15 16
import org.dom4j.DocumentHelper;
import org.dom4j.Element;
import org.dom4j.QName;
Matt Tucker's avatar
Matt Tucker committed
17 18 19 20 21 22
import org.jivesoftware.messenger.*;
import org.jivesoftware.messenger.auth.AuthFactory;
import org.jivesoftware.messenger.auth.AuthToken;
import org.jivesoftware.messenger.auth.UnauthorizedException;
import org.jivesoftware.messenger.user.UserManager;
import org.jivesoftware.messenger.user.UserNotFoundException;
23 24
import org.jivesoftware.util.LocaleUtils;
import org.jivesoftware.util.Log;
25
import org.jivesoftware.util.JiveGlobals;
26 27
import org.jivesoftware.stringprep.Stringprep;
import org.jivesoftware.stringprep.StringprepException;
Matt Tucker's avatar
Matt Tucker committed
28 29 30
import org.xmpp.packet.IQ;
import org.xmpp.packet.JID;
import org.xmpp.packet.PacketError;
31
import org.xmpp.packet.StreamError;
Matt Tucker's avatar
Matt Tucker committed
32

33 34 35
import java.util.ArrayList;
import java.util.List;

Matt Tucker's avatar
Matt Tucker committed
36 37
/**
 * Implements the TYPE_IQ jabber:iq:auth protocol (plain only). Clients
Matt Tucker's avatar
Matt Tucker committed
38 39 40 41 42
 * use this protocol to authenticate with the server. A 'get' query
 * runs an authentication probe with a given user name. Return the
 * authentication form or an error indicating the user is not
 * registered on the server.<p>
 *
Matt Tucker's avatar
Matt Tucker committed
43 44 45
 * A 'set' query authenticates with information given in the
 * authentication form. An authenticated session may reset their
 * authentication information using a 'set' query.
Matt Tucker's avatar
Matt Tucker committed
46
 *
Matt Tucker's avatar
Matt Tucker committed
47 48 49 50 51 52 53 54 55 56 57
 * <h2>Assumptions</h2>
 * This handler assumes that the request is addressed to the server.
 * An appropriate TYPE_IQ tag matcher should be placed in front of this
 * one to route TYPE_IQ requests not addressed to the server to
 * another channel (probably for direct delivery to the recipient).
 *
 * @author Iain Shigeoka
 */
public class IQAuthHandler extends IQHandler implements IQAuthInfo {

    private static boolean anonymousAllowed;
Matt Tucker's avatar
Matt Tucker committed
58 59

    private Element probeResponse;
Matt Tucker's avatar
Matt Tucker committed
60 61
    private IQHandlerInfo info;

62 63 64 65
    private UserManager userManager;
    private XMPPServer localServer;
    private SessionManager sessionManager;

Matt Tucker's avatar
Matt Tucker committed
66 67 68 69 70
    /**
     * Clients are not authenticated when accessing this handler.
     */
    public IQAuthHandler() {
        super("XMPP Authentication handler");
71
        info = new IQHandlerInfo("query", "jabber:iq:auth");
Matt Tucker's avatar
Matt Tucker committed
72 73

        probeResponse = DocumentHelper.createElement(QName.get("query", "jabber:iq:auth"));
Gaston Dombiak's avatar
Gaston Dombiak committed
74
        probeResponse.addElement("username");
Matt Tucker's avatar
Matt Tucker committed
75
        if (AuthFactory.isPlainSupported()) {
Gaston Dombiak's avatar
Gaston Dombiak committed
76
            probeResponse.addElement("password");
Matt Tucker's avatar
Matt Tucker committed
77 78
        }
        if (AuthFactory.isDigestSupported()) {
Gaston Dombiak's avatar
Gaston Dombiak committed
79
            probeResponse.addElement("digest");
Matt Tucker's avatar
Matt Tucker committed
80
        }
Gaston Dombiak's avatar
Gaston Dombiak committed
81
        probeResponse.addElement("resource");
82
        anonymousAllowed = "true".equals(JiveGlobals.getProperty("xmpp.auth.anonymous"));
Matt Tucker's avatar
Matt Tucker committed
83 84
    }

85
    public IQ handleIQ(IQ packet) throws UnauthorizedException, PacketException {
Matt Tucker's avatar
Matt Tucker committed
86
        try {
87
            ClientSession session = sessionManager.getSession(packet.getFrom());
88 89 90 91 92 93 94 95 96 97 98 99
            // If no session was found then answer an error (if possible)
            if (session == null) {
                Log.error("Error during authentication. Session not found in " +
                        sessionManager.getPreAuthenticatedKeys() +
                        " for key " +
                        packet.getFrom());
                // This error packet will probably won't make it through
                IQ reply = IQ.createResultIQ(packet);
                reply.setChildElement(packet.getChildElement().createCopy());
                reply.setError(PacketError.Condition.internal_server_error);
                return reply;
            }
Matt Tucker's avatar
Matt Tucker committed
100 101
            IQ response = null;
            try {
Matt Tucker's avatar
Matt Tucker committed
102
                Element iq = packet.getElement();
103
                Element query = iq.element("query");
104
                Element queryResponse = probeResponse.createCopy();
Matt Tucker's avatar
Matt Tucker committed
105
                if (IQ.Type.get == packet.getType()) {
106
                    String username = query.elementTextTrim("username");
107 108 109
                    if (username != null) {
                        queryResponse.element("username").setText(username);
                    }
Gaston Dombiak's avatar
Gaston Dombiak committed
110
                    response = IQ.createResultIQ(packet);
111
                    response.setChildElement(queryResponse);
112 113 114
                    // This is a workaround. Since we don't want to have an incorrect TO attribute
                    // value we need to clean up the TO attribute and send directly the response.
                    // The TO attribute will contain an incorrect value since we are setting a fake
115
                    // JID until the user actually authenticates with the server.
116 117 118
                    if (session.getStatus() != Session.STATUS_AUTHENTICATED) {
                        response.setTo((JID)null);
                    }
Matt Tucker's avatar
Matt Tucker committed
119
                }
Matt Tucker's avatar
Matt Tucker committed
120 121
                // Otherwise set query
                else {
Gaston Dombiak's avatar
Gaston Dombiak committed
122
                    if (query.elements().isEmpty()) {
Matt Tucker's avatar
Matt Tucker committed
123 124 125 126
                        // Anonymous authentication
                        response = anonymousLogin(session, packet);
                    }
                    else {
127
                        String username = query.elementTextTrim("username");
Matt Tucker's avatar
Matt Tucker committed
128
                        // Login authentication
129
                        String password = query.elementTextTrim("password");
Matt Tucker's avatar
Matt Tucker committed
130
                        String digest = null;
131 132
                        if (query.element("digest") != null) {
                            digest = query.elementTextTrim("digest").toLowerCase();
Matt Tucker's avatar
Matt Tucker committed
133 134 135 136 137 138 139 140
                        }

                        // If we're already logged in, this is a password reset
                        if (session.getStatus() == Session.STATUS_AUTHENTICATED) {
                            response = passwordReset(password, packet, username, session);
                        }
                        else {
                            // it is an auth attempt
Gaston Dombiak's avatar
Gaston Dombiak committed
141 142 143
                            response =
                                    login(username, query, packet, response, password, session,
                                            digest);
Matt Tucker's avatar
Matt Tucker committed
144 145 146 147 148
                        }
                    }
                }
            }
            catch (UserNotFoundException e) {
Matt Tucker's avatar
Matt Tucker committed
149
                response = IQ.createResultIQ(packet);
150
                response.setChildElement(packet.getChildElement().createCopy());
Matt Tucker's avatar
Matt Tucker committed
151
                response.setError(PacketError.Condition.not_authorized);
Matt Tucker's avatar
Matt Tucker committed
152 153
            }
            catch (UnauthorizedException e) {
Matt Tucker's avatar
Matt Tucker committed
154
                response = IQ.createResultIQ(packet);
155
                response.setChildElement(packet.getChildElement().createCopy());
Matt Tucker's avatar
Matt Tucker committed
156
                response.setError(PacketError.Condition.not_authorized);
Matt Tucker's avatar
Matt Tucker committed
157
            }
158 159 160
            // Send the response directly since we want to be sure that we are sending it back
            // to the correct session. Any other session of the same user but with different
            // resource is incorrect.
161
            session.process(response);
Matt Tucker's avatar
Matt Tucker committed
162 163
        }
        catch (Exception e) {
164
            Log.error("Error handling authentication IQ packet", e);
Matt Tucker's avatar
Matt Tucker committed
165 166 167 168
        }
        return null;
    }

Matt Tucker's avatar
Matt Tucker committed
169
    private IQ login(String username, Element iq, IQ packet, IQ response, String password,
170 171
            ClientSession session, String digest) throws UnauthorizedException,
            UserNotFoundException
Matt Tucker's avatar
Matt Tucker committed
172
    {
173
        String resource = iq.elementTextTrim("resource");
174 175 176 177 178 179 180 181
        if (resource != null) {
            try {
                resource = Stringprep.resourceprep(resource);
            }
            catch (StringprepException e) {
                throw new IllegalArgumentException("Invalid resource: " + resource);
            }
        }
182 183 184 185 186 187
        else {
            // Answer a not_acceptable error since a resource was not supplied
            response = IQ.createResultIQ(packet);
            response.setChildElement(packet.getChildElement().createCopy());
            response.setError(PacketError.Condition.not_acceptable);
        }
Matt Tucker's avatar
Matt Tucker committed
188 189 190

        // If a session already exists with the requested JID, then check to see
        // if we should kick it off or refuse the new connection
191
        if (sessionManager.isActiveRoute(username, resource)) {
192
            ClientSession oldSession = null;
Matt Tucker's avatar
Matt Tucker committed
193
            try {
194 195
                String domain = localServer.getServerInfo().getName();
                oldSession = sessionManager.getSession(username, domain, resource);
Matt Tucker's avatar
Matt Tucker committed
196 197 198 199 200
                oldSession.incrementConflictCount();
                int conflictLimit = sessionManager.getConflictKickLimit();
                if (conflictLimit != SessionManager.NEVER_KICK && oldSession.getConflictCount() > conflictLimit) {
                    Connection conn = oldSession.getConnection();
                    if (conn != null) {
201 202 203
                        // Send a stream:error before closing the connection
                        StreamError error = new StreamError(StreamError.Condition.conflict);
                        conn.getWriter().write(error.toXML());
Matt Tucker's avatar
Matt Tucker committed
204 205 206 207
                        conn.close();
                    }
                }
                else {
Matt Tucker's avatar
Matt Tucker committed
208
                    response = IQ.createResultIQ(packet);
209
                    response.setChildElement(packet.getChildElement().createCopy());
Matt Tucker's avatar
Matt Tucker committed
210
                    response.setError(PacketError.Condition.forbidden);
Matt Tucker's avatar
Matt Tucker committed
211 212 213
                }
            }
            catch (Exception e) {
214
                Log.error("Error during login", e);
Matt Tucker's avatar
Matt Tucker committed
215 216 217 218 219 220
            }
        }
        // If the connection was not refused due to conflict, log the user in
        if (response == null) {
            AuthToken token = null;
            if (password != null && AuthFactory.isPlainSupported()) {
Matt Tucker's avatar
Matt Tucker committed
221
                token = AuthFactory.authenticate(username, password);
Matt Tucker's avatar
Matt Tucker committed
222 223
            }
            else if (digest != null && AuthFactory.isDigestSupported()) {
Matt Tucker's avatar
Matt Tucker committed
224 225
                token = AuthFactory.authenticate(username, session.getStreamID().toString(),
                        digest);
Matt Tucker's avatar
Matt Tucker committed
226 227 228 229 230
            }
            if (token == null) {
                throw new UnauthorizedException();
            }
            else {
231
                session.setAuthToken(token, userManager, resource);
Matt Tucker's avatar
Matt Tucker committed
232 233
                packet.setFrom(session.getAddress());
                response = IQ.createResultIQ(packet);
Matt Tucker's avatar
Matt Tucker committed
234 235 236 237 238
            }
        }
        return response;
    }

Matt Tucker's avatar
Matt Tucker committed
239 240 241
    private IQ passwordReset(String password, IQ packet, String username, Session session)
            throws UnauthorizedException
    {
Matt Tucker's avatar
Matt Tucker committed
242 243 244 245 246 247 248
        IQ response;
        if (password == null || password.length() == 0) {
            throw new UnauthorizedException();
        }
        else {
            try {
                userManager.getUser(username).setPassword(password);
Matt Tucker's avatar
Matt Tucker committed
249
                response = IQ.createResultIQ(packet);
Matt Tucker's avatar
Matt Tucker committed
250 251 252 253 254 255 256 257 258 259 260 261
                List params = new ArrayList();
                params.add(username);
                params.add(session.toString());
                Log.info(LocaleUtils.getLocalizedString("admin.password.update", params));
            }
            catch (UserNotFoundException e) {
                throw new UnauthorizedException();
            }
        }
        return response;
    }

262
    private IQ anonymousLogin(ClientSession session, IQ packet) {
Matt Tucker's avatar
Matt Tucker committed
263
        IQ response = IQ.createResultIQ(packet);;
Matt Tucker's avatar
Matt Tucker committed
264 265
        if (anonymousAllowed) {
            session.setAnonymousAuth();
Matt Tucker's avatar
Matt Tucker committed
266 267
            Element auth = response.setChildElement("query", "jabber:iq:auth");
            auth.addElement("resource").setText(session.getAddress().getResource());
Matt Tucker's avatar
Matt Tucker committed
268 269
        }
        else {
270
            response.setChildElement(packet.getChildElement().createCopy());
Matt Tucker's avatar
Matt Tucker committed
271
            response.setError(PacketError.Condition.forbidden);
Matt Tucker's avatar
Matt Tucker committed
272 273 274 275 276 277 278 279 280 281
        }
        return response;
    }

    public boolean isAllowAnonymous() {
        return anonymousAllowed;
    }

    public void setAllowAnonymous(boolean isAnonymous) throws UnauthorizedException {
        anonymousAllowed = isAnonymous;
282
        JiveGlobals.setProperty("xmpp.auth.anonymous", anonymousAllowed ? "true" : "false");
Matt Tucker's avatar
Matt Tucker committed
283 284
    }

285 286 287 288 289
    public void initialize(XMPPServer server) {
        super.initialize(server);
        localServer = server;
        userManager = server.getUserManager();
        sessionManager = server.getSessionManager();
Matt Tucker's avatar
Matt Tucker committed
290 291 292 293 294
    }

    public IQHandlerInfo getInfo() {
        return info;
    }
Matt Tucker's avatar
Matt Tucker committed
295
}