Fixed a logic flaw with authorization when client requests a full JID instead of a username.

Also fixed a logic flaw that allowed an unauthorized, but authenticated, PLAIN login.


git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@8806 b35dd754-fafc-0310-a699-88a17e54d16e

src/java/org/jivesoftware/openfire/auth/AuthorizationManager.java

@@ -145,7 +145,7 @@ public class AuthorizationManager {
                     UserManager.getUserProvider().loadUser(username);
                 }
                 catch (UserNotFoundException nfe) {
-                    Log.debug("AuthorizationManager: User "+username+" not found.");
+                    Log.debug("AuthorizationManager: User "+username+" not found "+nfe.toString());
                     // Should we add the user?
                     if(JiveGlobals.getBooleanProperty("xmpp.auth.autoadd",false)) {
                         if (UserManager.getUserProvider().isReadOnly()) {

src/java/org/jivesoftware/openfire/auth/DefaultAuthorizationPolicy.java

@@ -66,7 +66,7 @@ public class DefaultAuthorizationPolicy implements AuthorizationPolicy {
      * Returns true if the principal is explicity authorized to the JID
      *
      * @param username  The username requested.
-     * @param authenID The authenticated ID requesting the username.
+     * @param authenID The authenticated ID (principal) requesting the username.
      * @return true if the authenticated ID is authorized to the requested user.
      */
     public boolean authorize(String username, String authenID) {

src/java/org/jivesoftware/openfire/ldap/LdapUserProvider.java

@@ -70,6 +70,14 @@ public class LdapUserProvider implements UserProvider {
     }
 
     public User loadUser(String username) throws UserNotFoundException {
+        String userDomain = JiveGlobals.getProperty("xmpp.domain");
+        if(username.contains("@")) {
+            userDomain = username.substring((username.lastIndexOf("@")+1));
+            username = username.substring(0,username.lastIndexOf("@"));
+        }
+        if(!userDomain.equals(JiveGlobals.getProperty("xmpp.domain"))) {
+            throw new UserNotFoundException("Unknown domain: "+userDomain);
+        }
         // Un-escape username.
         username = JID.unescapeNode(username);
         DirContext ctx = null;

src/java/org/jivesoftware/openfire/net/XMPPCallbackHandler.java

@@ -109,6 +109,7 @@ public class XMPPCallbackHandler implements CallbackHandler {
                 }
                 else {
                     Log.debug("XMPPCallbackHandler: "+principal + " not authorized to " + username);
+                    authCallback.setAuthorized(false);
                 }
             }
             else {

src/java/org/jivesoftware/openfire/sasl/SaslServerPlainImpl.java

@@ -115,8 +115,14 @@ public class SaslServerPlainImpl implements SaslServer {
                     vpcb.clearPassword();
                     AuthorizeCallback acb = new AuthorizeCallback(principal,username);
                     cbh.handle(new Callback[]{acb});
+                    if(acb.isAuthorized()) {
                         username = acb.getAuthorizationID();
                         completed = true;
+                    } else {
+                        completed = true;
+                        username = null;
+                        throw new SaslException("PLAIN: user not authorized: "+principal);
+                    }
                 } else {
                     throw new SaslException("PLAIN: user not authorized: "+principal);
                 }

src/java/org/jivesoftware/openfire/user/DefaultUserProvider.java

@@ -57,6 +57,14 @@ public class DefaultUserProvider implements UserProvider {
             "UPDATE jiveUser SET modificationDate=? WHERE username=?";
 
     public User loadUser(String username) throws UserNotFoundException {
+        String userDomain = JiveGlobals.getProperty("xmpp.domain");
+        if(username.contains("@")) {
+            userDomain = username.substring((username.lastIndexOf("@")+1));
+            username = username.substring(0,username.lastIndexOf("@"));
+        }
+        if(!userDomain.equals(JiveGlobals.getProperty("xmpp.domain"))) {
+            throw new UserNotFoundException("Unknown domain: "+userDomain);
+        }
         Connection con = null;
         PreparedStatement pstmt = null;
         ResultSet rs = null;

src/java/org/jivesoftware/openfire/user/JDBCUserProvider.java

@@ -97,6 +97,14 @@ public class JDBCUserProvider implements UserProvider {
 	}
 
 	public User loadUser(String username) throws UserNotFoundException {
+        String userDomain = JiveGlobals.getProperty("xmpp.domain");
+        if(username.contains("@")) {
+            userDomain = username.substring((username.lastIndexOf("@")+1));
+            username = username.substring(0,username.lastIndexOf("@"));
+        }
+        if(!userDomain.equals(JiveGlobals.getProperty("xmpp.domain"))) {
+            throw new UserNotFoundException("Unknown domain: "+userDomain);
+        }
 		Connection con = null;
 		PreparedStatement pstmt = null;
 		ResultSet rs = null;