1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
/**
* $RCSfile$
* $Revision: $
* $Date: 2006-04-20 10:46:24 -0500 (Thu, 20 Apr 2006) $
*
* Copyright (C) 2004 Jive Software. All rights reserved.
*
* This software is published under the terms of the GNU Public License (GPL),
* a copy of which is included in this distribution.
*/
package org.jivesoftware.openfire.auth;
import org.jivesoftware.util.JiveGlobals;
import org.jivesoftware.util.Log;
import java.util.StringTokenizer;
import java.util.Vector;
/**
* Different clients perform authentication differently, so this policy
* will authorize any principal to a requested user that match specific
* conditions that are considered secure defaults for most installations.
*
* Keep in mind if a client does not request any username Java copies the
* authenticated ID to the requested username.
*
* <ul>
* <li>If the authenticated ID is in the form of a plain username, and the
* requested user is in the form of a plain username, then the two must
* be exactly the same.
* <li>If the authenticated ID contains an '@', then the portion before the
* '@' must match exactly the requested username and the portion after
* the '@' must match at least one of the following:
* <ul>
* <li>The XMPP domain of the server
* <li>The SASL realm of the server
* <li>Be in the list of acceptable realms
* </ul>
* <li>If the requested username contains an '@' then the porotion before the
* '@' will be considered the requested username only if the portion after
* the '@' matches the XMPP domain of the server or the portion after the
* '@' in the authenticated ID, if any.
* </ul>
*
*
* @see AuthorizationManager
* @author Jay Kline
*/
public class DefaultAuthorizationPolicy implements AuthorizationPolicy {
private Vector<String> approvedRealms;
public DefaultAuthorizationPolicy() {
approvedRealms = new Vector<String>();
String realmList = JiveGlobals.getXMLProperty("sasl.approvedRealms");
if(realmList != null) {
StringTokenizer st = new StringTokenizer(realmList, " ,\t\n\r\f");
while(st.hasMoreTokens()) {
approvedRealms.add(st.nextToken());
}
}
}
/**
* Returns true if the principal is explicity authorized to the JID
*
* @param username The username requested.
* @param authenID The authenticated ID (principal) requesting the username.
* @return true if the authenticated ID is authorized to the requested user.
*/
public boolean authorize(String username, String authenID) {
boolean authorized = false;
String userUser = username; //I know, I know, dumb variable name...
String userRealm = null;
String authenUser = authenID;
String authenRealm = null;
if(username.contains("@")) {
userUser = username.substring(0,username.lastIndexOf("@"));
userRealm = username.substring((username.lastIndexOf("@")+1));
}
if(authenID.contains("@")){
authenUser = authenID.substring(0,(authenID.lastIndexOf("@")));
authenRealm = authenID.substring((authenID.lastIndexOf("@")+1));
}
if(!userUser.equals(authenUser)) {
//for this policy the user portion of both must match, so lets short circut here if we can
if(JiveGlobals.getBooleanProperty("xmpp.auth.ignorecase",true)) {
if(!userUser.toLowerCase().equals(authenUser.toLowerCase())){
if (Log.isDebugEnabled()) {
Log.debug("DefaultAuthorizationPolicy: usernames don't match ("+userUser+" "+authenUser+")");
}
return false;
}
} else {
Log.debug("DefaultAuthorizationPolicy: usernames don't match ("+userUser+" "+authenUser+")");
return false;
}
}
Log.debug("DefaultAuthorizationPolicy: Checking authenID realm");
// Next up, check if the authenID realm is acceptable.
if(authenRealm != null) {
if(authenRealm.equals(JiveGlobals.getProperty("xmpp.domain"))) {
Log.debug("DefaultAuthorizationPolicy: authenRealm = xmpp.domain");
authorized = true;
} else if(authenRealm.equals(JiveGlobals.getXMLProperty("sasl.realm"))) {
Log.debug("DefaultAuthorizationPolicy: authenRealm = sasl.realm");
authorized = true;
} else {
for(String realm : approvedRealms) {
if(authenRealm.equals(realm)) {
if (Log.isDebugEnabled()) {
Log.debug("DefaultAuthorizationPolicy: authenRealm = "+realm+" which is approved");
}
authorized = true;
} else {
if (Log.isDebugEnabled()) {
Log.debug("DefaultAuthorizationPolicy: authenRealm != "+realm+" which is approved");
}
}
}
}
} else {
//no realm in the authenID
authorized = true;
}
if(!authorized) {
return false;
} else {
//reset for next round of tests
authorized = false;
}
//Next up, check if the username realm is acceptable.
if(userRealm != null) {
if(userRealm.equals(JiveGlobals.getProperty("xmpp.domain"))) {
Log.debug("DefaultAuthorizationPolicy: userRealm = xmpp.domain");
authorized = true;
} else {
if(authenRealm != null && authenRealm.equals(userRealm)) {
//authen and username are identical
if (Log.isDebugEnabled()) {
Log.debug("DefaultAuthorizationPolicy: userRealm = "+authenRealm+" which is approved");
}
authorized = true;
}
}
} else {
authorized = true;
}
//no more checks
return authorized;
}
/**
* Returns the short name of the Policy
*
* @return The short name of the Policy
*/
public String name() {
return "Default Policy";
}
/**
* Returns a description of the Policy
*
* @return The description of the Policy.
*/
public String description() {
return "Different clients perform authentication differently, so this policy "+
"will authorize any principal to a requested user that match specific "+
"conditions that are considered secure defaults for most installations.";
}
}