Skip to content

O
Openfire
Commit 5dbb9cc0 authored by Gaston Dombiak's avatar Gaston Dombiak Committed by gato
Browse files
Options

Added support for EXTERNAL SASL for s2s. JM-396 

git-svn-id: http://svn.igniterealtime.org/svn/repos/messenger/trunk@2864 b35dd754-fafc-0310-a699-88a17e54d16e
parent 524afcf3
Hide whitespace changes
Inline Side-by-side
Showing with 44 additions and 2 deletions
src/java/org/jivesoftware/messenger/net/SASLAuthentication.java
View file @ 5dbb9cc0
......@@ -17,6 +17,7 @@ import org.dom4j.io.XPPPacketReader;
import org.jivesoftware.messenger.ClientSession;
import org.jivesoftware.messenger.Session;
import org.jivesoftware.messenger.XMPPServer;
import org.jivesoftware.messenger.server.IncomingServerSession;
import org.jivesoftware.messenger.user.UserManager;
import org.jivesoftware.messenger.auth.AuthFactory;
import org.jivesoftware.messenger.auth.AuthToken;
......@@ -24,6 +25,7 @@ import org.jivesoftware.messenger.auth.UnauthorizedException;
import org.jivesoftware.util.Log;
import org.jivesoftware.util.StringUtils;
import org.xmlpull.v1.XmlPullParserException;
import org.xmpp.packet.JID;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
......@@ -114,8 +116,8 @@ public class SASLAuthentication {
if (XMPPServer.getInstance().getIQAuthHandler().isAllowAnonymous()) {
sb.append("<mechanism>ANONYMOUS</mechanism>");
}
if (session.getConnection().isSecure()) {
//sb.append("<mechanism>EXTERNAL</mechanism>");
if (session.getConnection().isSecure() && session instanceof IncomingServerSession) {
sb.append("<mechanism>EXTERNAL</mechanism>");
}
sb.append("</mechanisms>");
return sb.toString();
......@@ -141,6 +143,10 @@ public class SASLAuthentication {
success = doAnonymousAuthentication();
isComplete = true;
}
else if (mechanism.equalsIgnoreCase("EXTERNAL")) {
success = doExternalAuthentication(doc);
isComplete = true;
}
else {
// The selected SASL mechanism requires the server to send a challenge
// to the client
......@@ -252,6 +258,34 @@ public class SASLAuthentication {
}
}
private boolean doExternalAuthentication(Element doc) throws DocumentException, IOException,
XmlPullParserException {
// Only accept EXTERNAL SASL for s2s
if (!(session instanceof IncomingServerSession)) {
return false;
}
String hostname = doc.getTextTrim();
if (hostname != null && hostname.length() > 0) {
// TODO Check that the hostname matches the one provided in the certificate
authenticationSuccessful(StringUtils.decodeBase64(hostname));
return true;
}
else {
// No hostname was provided so send a challenge to get it
sendChallenge(new byte[0]);
// Get the next answer since we are not done yet
doc = reader.parseDocument().getRootElement();
if (doc != null && doc.getTextTrim().length() > 0) {
authenticationSuccessful(StringUtils.decodeBase64(doc.getTextTrim()));
return true;
}
else {
authenticationFailed();
return false;
}
}
}
private void sendChallenge(byte[] challenge) {
StringBuilder reply = new StringBuilder();
reply.append(
......@@ -269,6 +303,14 @@ public class SASLAuthentication {
if (session instanceof ClientSession) {
((ClientSession) session).setAuthToken(new AuthToken(username));
}
else if (session instanceof IncomingServerSession) {
String hostname = username;
// Set the first validated domain as the address of the session
session.setAddress(new JID(null, hostname, null));
// Add the validated domain as a valid domain. The remote server can
// now send packets from this address
((IncomingServerSession) session).addValidatedDomain(hostname);
}
}
private void authenticationFailed() {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023