XMPPCallbackHandler.java 6.53 KB
Newer Older
1
/**
Matt Tucker's avatar
Matt Tucker committed
2 3
 * $Revision$
 * $Date$
4
 *
5
 * Copyright (C) 2005-2008 Jive Software. All rights reserved.
6
 *
7 8 9 10 11 12 13 14 15 16 17
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
18 19
 */

20
package org.jivesoftware.openfire.net;
21

22 23 24 25 26 27 28 29 30 31
import java.io.IOException;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;

32
import org.jivesoftware.openfire.auth.AuthFactory;
33
import org.jivesoftware.openfire.auth.AuthToken;
34
import org.jivesoftware.openfire.auth.AuthorizationManager;
35
import org.jivesoftware.openfire.sasl.VerifyPasswordCallback;
36
import org.jivesoftware.openfire.user.UserNotFoundException;
37 38
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
39 40

/**
Matt Tucker's avatar
Matt Tucker committed
41
 * Callback handler that may be used when doing SASL authentication. A CallbackHandler
42
 * may be required depending on the SASL mechanism being used.<p>
43
 *
Matt Tucker's avatar
Matt Tucker committed
44 45 46 47 48
 * Mechanisms that use a digest don't include a password so the server needs to use the
 * stored password of the user to compare it (somehow) with the specified digest. This
 * operation requires that the UserProvider being used supports passwords retrival.
 * {@link SASLAuthentication} should not offer these kind of SASL mechanisms if the user
 * provider being in use does not support passwords retrieval.
49 50 51 52 53
 *
 * @author Hao Chen
 */
public class XMPPCallbackHandler implements CallbackHandler {

54 55
	private static final Logger Log = LoggerFactory.getLogger(XMPPCallbackHandler.class);

Matt Tucker's avatar
Matt Tucker committed
56 57
    public XMPPCallbackHandler() {
    }
58

Matt Tucker's avatar
Matt Tucker committed
59 60
    public void handle(final Callback[] callbacks)
            throws IOException, UnsupportedCallbackException {
61

62

63
        String realm;
Matt Tucker's avatar
Matt Tucker committed
64
        String name = null;
65

66 67 68
        for (Callback callback : callbacks) {
            if (callback instanceof RealmCallback) {
                realm = ((RealmCallback) callback).getText();
Matt Tucker's avatar
Matt Tucker committed
69
                if (realm == null) {
70
                    realm = ((RealmCallback) callback).getDefaultText();
Matt Tucker's avatar
Matt Tucker committed
71
                }
72
                //Log.debug("XMPPCallbackHandler: RealmCallback: " + realm);
Matt Tucker's avatar
Matt Tucker committed
73
            }
74 75
            else if (callback instanceof NameCallback) {
                name = ((NameCallback) callback).getName();
Matt Tucker's avatar
Matt Tucker committed
76
                if (name == null) {
77
                    name = ((NameCallback) callback).getDefaultName();
Matt Tucker's avatar
Matt Tucker committed
78
                }
79
                //Log.debug("XMPPCallbackHandler: NameCallback: " + name);
Matt Tucker's avatar
Matt Tucker committed
80
            }
81
            else if (callback instanceof PasswordCallback) {
Matt Tucker's avatar
Matt Tucker committed
82
                try {
83 84
                    // Get the password from the UserProvider. Some UserProviders may not support
                    // this operation
85
                    ((PasswordCallback) callback)
86 87
                            .setPassword(AuthFactory.getPassword(name).toCharArray());

88
                    //Log.debug("XMPPCallbackHandler: PasswordCallback");
Matt Tucker's avatar
Matt Tucker committed
89 90 91 92
                }
                catch (UserNotFoundException e) {
                    throw new IOException(e.toString());
                }
93 94 95 96 97
                catch (UnsupportedOperationException uoe) {
                    throw new IOException(uoe.toString());
                }

            }
98
            else if (callback instanceof VerifyPasswordCallback) {
99
                //Log.debug("XMPPCallbackHandler: VerifyPasswordCallback");
100
                VerifyPasswordCallback vpcb = (VerifyPasswordCallback) callback;
101
                try {
102 103
                    AuthToken at = AuthFactory.authenticate(name, new String(vpcb.getPassword()));
                    vpcb.setVerified((at != null));
104
                }
105
                catch (Exception e) {
106 107
                    vpcb.setVerified(false);
                }
Matt Tucker's avatar
Matt Tucker committed
108
            }
109
            else if (callback instanceof AuthorizeCallback) {
110
                //Log.debug("XMPPCallbackHandler: AuthorizeCallback");
111 112 113 114 115 116 117 118 119 120 121
                AuthorizeCallback authCallback = ((AuthorizeCallback) callback);
                // Principal that authenticated
                String principal = authCallback.getAuthenticationID();
                // Username requested (not full JID)
                String username = authCallback.getAuthorizationID();
                // Remove any REALM from the username. This is optional in the spec and it may cause
                // a lot of users to fail to log in if their clients is sending an incorrect value
                if (username != null && username.contains("@")) {
                    username = username.substring(0, username.lastIndexOf("@"));
                }
                if (principal.equals(username)) {
122 123
                    //client perhaps made no request, get default username
                    username = AuthorizationManager.map(principal);
124
                    if (Log.isDebugEnabled()) {
125
                        //Log.debug("XMPPCallbackHandler: no username requested, using " + username);
126
                    }
127 128
                }
                if (AuthorizationManager.authorize(username, principal)) {
129
                    if (Log.isDebugEnabled()) {
130
                        //Log.debug("XMPPCallbackHandler: " + principal + " authorized to " + username);
131
                    }
Matt Tucker's avatar
Matt Tucker committed
132
                    authCallback.setAuthorized(true);
133
                    authCallback.setAuthorizedID(username);
134 135
                }
                else {
136
                    if (Log.isDebugEnabled()) {
137
                        //Log.debug("XMPPCallbackHandler: " + principal + " not authorized to " + username);
138
                    }
139
                    authCallback.setAuthorized(false);
Matt Tucker's avatar
Matt Tucker committed
140 141 142
                }
            }
            else {
143
                if (Log.isDebugEnabled()) {
144
                    //Log.debug("XMPPCallbackHandler: Callback: " + callback.getClass().getSimpleName());
145 146
                }
                throw new UnsupportedCallbackException(callback, "Unrecognized Callback");
Matt Tucker's avatar
Matt Tucker committed
147 148 149 150
            }
        }
    }
}