Commit 667cd414 authored by Guus der Kinderen's avatar Guus der Kinderen

OF-1097: jabber:iq:auth / XEP-0078 disabled by default

Non-SASL authentication was obsoleted a long time ago. Openfire should not
enable it by default.

This commit moves the related implementation from the core Openfire code
into a plugin.
parent a0cbf5f4
...@@ -444,6 +444,16 @@ public class IQRouter extends BasicModule { ...@@ -444,6 +444,16 @@ public class IQRouter extends BasicModule {
routingTable.routePacket(reply.getTo(), reply, true); routingTable.routePacket(reply.getTo(), reply, true);
} }
/**
* Determines if this instance has support (formally: has a IQ Handler) for the provided namespace.
*
* @param namespace Identifier of functionality (cannot be null)
* @return true if the functionality identified by the namespace is supported, otherwise false.
*/
public boolean supports( String namespace ) {
return getHandler( namespace ) != null;
}
private IQHandler getHandler(String namespace) { private IQHandler getHandler(String namespace) {
IQHandler handler = namespace2Handlers.get(namespace); IQHandler handler = namespace2Handlers.get(namespace);
if (handler == null) { if (handler == null) {
......
...@@ -504,7 +504,6 @@ public class XMPPServer { ...@@ -504,7 +504,6 @@ public class XMPPServer {
// Load standard modules // Load standard modules
loadModule(IQBindHandler.class.getName()); loadModule(IQBindHandler.class.getName());
loadModule(IQSessionEstablishmentHandler.class.getName()); loadModule(IQSessionEstablishmentHandler.class.getName());
loadModule(IQAuthHandler.class.getName());
loadModule(IQPingHandler.class.getName()); loadModule(IQPingHandler.class.getName());
loadModule(IQPrivateHandler.class.getName()); loadModule(IQPrivateHandler.class.getName());
loadModule(IQRegisterHandler.class.getName()); loadModule(IQRegisterHandler.class.getName());
...@@ -1062,17 +1061,6 @@ public class XMPPServer { ...@@ -1062,17 +1061,6 @@ public class XMPPServer {
return (IQRegisterHandler) modules.get(IQRegisterHandler.class); return (IQRegisterHandler) modules.get(IQRegisterHandler.class);
} }
/**
* Returns the <code>IQAuthHandler</code> registered with this server. The
* <code>IQAuthHandler</code> was registered with the server as a module while starting up
* the server.
*
* @return the <code>IQAuthHandler</code> registered with this server.
*/
public IQAuthHandler getIQAuthHandler() {
return (IQAuthHandler) modules.get(IQAuthHandler.class);
}
/** /**
* Returns the <code>IQPEPHandler</code> registered with this server. The * Returns the <code>IQPEPHandler</code> registered with this server. The
* <code>IQPEPHandler</code> was registered with the server as a module while starting up * <code>IQPEPHandler</code> was registered with the server as a module while starting up
......
/**
* $RCSfile$
* $Revision: 128 $
* $Date: 2004-10-25 20:42:00 -0300 (Mon, 25 Oct 2004) $
*
* Copyright (C) 2004-2008 Jive Software. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jivesoftware.openfire.handler;
import org.jivesoftware.openfire.auth.UnauthorizedException;
/**
* Information for controlling the authentication options for the server.
*
* @author Iain Shigeoka
*/
public interface IQAuthInfo {
/**
* Returns true if anonymous authentication is allowed.
*
* @return true if anonymous logins are allowed
*/
public boolean isAnonymousAllowed();
/**
* Changes the server's support for anonymous authentication.
*
* @param isAnonymous True if anonymous logins should be allowed.
* @throws UnauthorizedException If you don't have permission to adjust this setting
*/
public void setAllowAnonymous(boolean isAnonymous) throws UnauthorizedException;
}
\ No newline at end of file
...@@ -883,7 +883,9 @@ public class LocalClientSession extends LocalSession implements ClientSession { ...@@ -883,7 +883,9 @@ public class LocalClientSession extends LocalSession implements ClientSession {
if (getAuthToken() == null) { if (getAuthToken() == null) {
// Advertise that the server supports Non-SASL Authentication // Advertise that the server supports Non-SASL Authentication
sb.append("<auth xmlns=\"http://jabber.org/features/iq-auth\"/>"); if ( XMPPServer.getInstance().getIQRouter().supports( "jabber:iq:auth" ) ) {
sb.append("<auth xmlns=\"http://jabber.org/features/iq-auth\"/>");
}
// Advertise that the server supports In-Band Registration // Advertise that the server supports In-Band Registration
if (XMPPServer.getInstance().getIQRegisterHandler().isInbandRegEnabled()) { if (XMPPServer.getInstance().getIQRegisterHandler().isInbandRegEnabled()) {
sb.append("<register xmlns=\"http://jabber.org/features/iq-register\"/>"); sb.append("<register xmlns=\"http://jabber.org/features/iq-register\"/>");
......
...@@ -279,7 +279,9 @@ public class LocalConnectionMultiplexerSession extends LocalSession implements C ...@@ -279,7 +279,9 @@ public class LocalConnectionMultiplexerSession extends LocalSession implements C
comp.addElement("method").setText("zlib"); comp.addElement("method").setText("zlib");
} }
// Add info about Non-SASL authentication // Add info about Non-SASL authentication
child.addElement("auth", "http://jabber.org/features/iq-auth"); if (XMPPServer.getInstance().getIQRouter().supports("jabber:iq:auth")) {
child.addElement("auth", "http://jabber.org/features/iq-auth");
}
// Add info about In-Band Registration // Add info about In-Band Registration
if (XMPPServer.getInstance().getIQRegisterHandler().isInbandRegEnabled()) { if (XMPPServer.getInstance().getIQRegisterHandler().isInbandRegEnabled()) {
child.addElement("register", "http://jabber.org/features/iq-register"); child.addElement("register", "http://jabber.org/features/iq-register");
......
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Non-SASL Authentication Plugin Changelog</title>
<style type="text/css">
BODY {
font-size : 100%;
}
BODY, TD, TH {
font-family : tahoma, verdana, arial, helvetica, sans-serif;
font-size : 0.8em;
}
H2 {
font-size : 10pt;
font-weight : bold;
padding-left : 1em;
}
A:hover {
text-decoration : none;
}
H1 {
font-family : tahoma, arial, helvetica, sans-serif;
font-size : 1.4em;
font-weight: bold;
border-bottom : 1px #ccc solid;
padding-bottom : 2px;
}
TT {
font-family : courier new;
font-weight : bold;
color : #060;
}
PRE {
font-family : courier new;
font-size : 100%;
}
</style>
</head>
<body>
<h1>
Non-SASL Authentication Plugin Changelog
</h1>
<p><b>1.0.0</b> -- March 3, 2016</p>
<ul>
<li>[<a href='http://www.igniterealtime.org/issues/browse/'></a>] - Initial release (moved code from Openfire core to new plugin).</li>
</ul>
</body>
</html>
<?xml version="1.0" encoding="UTF-8"?>
<plugin>
<class>org.jivesoftware.openfire.plugin.NonSaslAuthenticationPlugin</class>
<name>Non-SASL Authentication</name>
<description>This plugin implements a the (obsolete!) XEP-0078 specification for authentication using the jabber:iq:auth namespace.</description>
<author>Guus der Kinderen</author>
<version>1.0.0</version>
<date>3/3/2016</date>
<minServerVersion>4.1.0 Alpha</minServerVersion>
</plugin>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Non-SASL Authentication Plugin Readme</title>
<style type="text/css">
BODY {
font-size : 100%;
}
BODY {
font-family : tahoma, verdana, arial, helvetica, sans-serif;
font-size : 0.8em;
}
H2 {
font-size : 10pt;
font-weight : bold;
}
A:hover {
text-decoration : none;
}
H1 {
font-family : tahoma, arial, helvetica, sans-serif;
font-size : 1.4em;
font-weight: bold;
border-bottom : 1px #ccc solid;
padding-bottom : 2px;
}
</style>
</head>
<body>
<h1>
Non-SASL Authentication Plugin Readme
</h1>
<h2>Overview</h2>
<p>
The Non-SASL Authentication plugin provides a an implementation for authentication with Jabber servers and
services using the jabber:iq:auth namespace.simple, as specified in
<a href="http://xmpp.org/extensions/xep-0078.html">XEP-0078: Non-SASL Authentication</a>.
</p>
<p>
Note Well: The protocol implemented by this plugin has been superseded in favor of SASL authentication as specified
by the XMPP standards in RFC 3920 / RFC 6120, and is now obsolete. This plugin should not be installed in Openfire,
unless there is a pressing need for backwards compatibility with regards to XEP-0078.
</p>
<p>
In versions of Openfire prior to (and excluding) 4.1.0 the functionality provided in this plugin was part of the
base functionality of Openfire itself. Years after SASL was introduced as the preferred method of authentication in
XMPP (and the corresponding formal obsoletion of non-SASL authentication in 2008), support for Non-SASL
Authentication was dropped from Openfire in version 4.1.0. For environments where backwards compatibility is
required, this plugin can be used to restore Non-SASL Authentication functionality in Openfire.
</p>
<h2>Installation</h2>
<p>
Copy nonSaslAuthentication.jar into the plugins directory of your Openfire installation. The plugin will then be
automatically deployed. To upgrade to a new version, copy the new nonSaslAuthentication.jar file over the existing
file.
</p>
</body>
</html>
...@@ -23,7 +23,6 @@ package org.jivesoftware.openfire.handler; ...@@ -23,7 +23,6 @@ package org.jivesoftware.openfire.handler;
import gnu.inet.encoding.Stringprep; import gnu.inet.encoding.Stringprep;
import gnu.inet.encoding.StringprepException; import gnu.inet.encoding.StringprepException;
import java.net.UnknownHostException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
...@@ -74,12 +73,10 @@ import org.xmpp.packet.StreamError; ...@@ -74,12 +73,10 @@ import org.xmpp.packet.StreamError;
* *
* @author Iain Shigeoka * @author Iain Shigeoka
*/ */
public class IQAuthHandler extends IQHandler implements IQAuthInfo { public class IQAuthHandler extends IQHandler {
private static final Logger Log = LoggerFactory.getLogger(IQAuthHandler.class); private static final Logger Log = LoggerFactory.getLogger(IQAuthHandler.class);
private boolean anonymousAllowed;
private Element probeResponse; private Element probeResponse;
private IQHandlerInfo info; private IQHandlerInfo info;
...@@ -104,7 +101,6 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo { ...@@ -104,7 +101,6 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo {
probeResponse.addElement("digest"); probeResponse.addElement("digest");
} }
probeResponse.addElement("resource"); probeResponse.addElement("resource");
anonymousAllowed = JiveGlobals.getBooleanProperty("xmpp.auth.anonymous");
} }
@Override @Override
...@@ -328,7 +324,7 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo { ...@@ -328,7 +324,7 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo {
private IQ anonymousLogin(LocalClientSession session, IQ packet) { private IQ anonymousLogin(LocalClientSession session, IQ packet) {
IQ response = IQ.createResultIQ(packet); IQ response = IQ.createResultIQ(packet);
if (anonymousAllowed) { if (JiveGlobals.getBooleanProperty("xmpp.auth.anonymous")) {
// Verify that client can connect from his IP address // Verify that client can connect from his IP address
boolean forbidAccess = !LocalClientSession.isAllowedAnonymous( session.getConnection() ); boolean forbidAccess = !LocalClientSession.isAllowedAnonymous( session.getConnection() );
if (forbidAccess) { if (forbidAccess) {
...@@ -352,17 +348,6 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo { ...@@ -352,17 +348,6 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo {
return response; return response;
} }
@Override
public boolean isAnonymousAllowed() {
return anonymousAllowed;
}
@Override
public void setAllowAnonymous(boolean isAnonymous) throws UnauthorizedException {
anonymousAllowed = isAnonymous;
JiveGlobals.setProperty("xmpp.auth.anonymous", Boolean.toString(anonymousAllowed));
}
@Override @Override
public void initialize(XMPPServer server) { public void initialize(XMPPServer server) {
super.initialize(server); super.initialize(server);
......
package org.jivesoftware.openfire.plugin;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.container.Plugin;
import org.jivesoftware.openfire.container.PluginManager;
import org.jivesoftware.openfire.handler.IQAuthHandler;
import java.io.File;
/**
* An Openfire plugin that implements the obsolete Non-SASL Authentication plugin as specified in XEP-0078.
*
* @author Guus der Kinderen, guus@goodbytes.nl
* @see <a href="http://xmpp.org/extensions/xep-0078.html">XEP-0078: Non-SASL Authentication</a>
*/
public class NonSaslAuthenticationPlugin implements Plugin
{
private IQAuthHandler iqAuthHandler;
@Override
public void initializePlugin( PluginManager manager, File pluginDirectory )
{
iqAuthHandler = new IQAuthHandler();
XMPPServer.getInstance().getIQRouter().addHandler( iqAuthHandler );
}
@Override
public void destroyPlugin()
{
if ( iqAuthHandler != null )
{
XMPPServer.getInstance().getIQRouter().removeHandler( iqAuthHandler );
iqAuthHandler = null;
}
}
}
\ No newline at end of file
...@@ -44,6 +44,13 @@ ...@@ -44,6 +44,13 @@
Openfire WebSocket Plugin Changelog Openfire WebSocket Plugin Changelog
</h1> </h1>
<p><b>1.1.4</b> -- March 3, 2016</p>
<ul>
<li>[<a href='https://igniterealtime.org/issues/browse/OF-1097'></a>] - Non-SASL Authentication support should be optional.</li>
<li>Minimum server requirement: 4.1.0 Alpha</li>
</ul>
<p><b>1.1.3</b> -- January 6, 2016</p> <p><b>1.1.3</b> -- January 6, 2016</p>
<ul> <ul>
......
...@@ -8,8 +8,8 @@ ...@@ -8,8 +8,8 @@
<name>Openfire WebSocket</name> <name>Openfire WebSocket</name>
<description>Provides WebSocket support for Openfire.</description> <description>Provides WebSocket support for Openfire.</description>
<author>Tom Evans</author> <author>Tom Evans</author>
<version>1.1.3</version> <version>1.1.4</version>
<date>01/06/2016</date> <date>03/03/2016</date>
<url>https://tools.ietf.org/html/rfc7395</url> <url>https://tools.ietf.org/html/rfc7395</url>
<minServerVersion>4.0.0 Alpha</minServerVersion> <minServerVersion>4.1.0 Alpha</minServerVersion>
</plugin> </plugin>
\ No newline at end of file
...@@ -298,7 +298,9 @@ public class XmppWebSocket { ...@@ -298,7 +298,9 @@ public class XmppWebSocket {
if (saslStatus == null) { if (saslStatus == null) {
// Include available SASL Mechanisms // Include available SASL Mechanisms
sb.append(SASLAuthentication.getSASLMechanisms(xmppSession)); sb.append(SASLAuthentication.getSASLMechanisms(xmppSession));
sb.append("<auth xmlns='http://jabber.org/features/iq-auth'/>"); if (XMPPServer.getInstance().getIQRouter().supports("jabber:iq:auth")) {
sb.append("<auth xmlns='http://jabber.org/features/iq-auth'/>");
}
} else if (saslStatus.equals(Status.authenticated)) { } else if (saslStatus.equals(Status.authenticated)) {
// Include Stream features // Include Stream features
sb.append(String.format("<bind xmlns='%s'/>", "urn:ietf:params:xml:ns:xmpp-bind")); sb.append(String.format("<bind xmlns='%s'/>", "urn:ietf:params:xml:ns:xmpp-bind"));
......
...@@ -18,7 +18,6 @@ ...@@ -18,7 +18,6 @@
--%> --%>
<%@ page import="org.jivesoftware.openfire.XMPPServer, <%@ page import="org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.handler.IQAuthHandler,
org.jivesoftware.openfire.handler.IQRegisterHandler, org.jivesoftware.openfire.handler.IQRegisterHandler,
org.jivesoftware.openfire.session.LocalClientSession, org.jivesoftware.openfire.session.LocalClientSession,
org.jivesoftware.util.ParamUtils" org.jivesoftware.util.ParamUtils"
...@@ -26,6 +25,7 @@ ...@@ -26,6 +25,7 @@
%> %>
<%@ page import="java.util.regex.Pattern" %> <%@ page import="java.util.regex.Pattern" %>
<%@ page import="java.util.*" %> <%@ page import="java.util.*" %>
<%@ page import="org.jivesoftware.util.JiveGlobals" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
...@@ -51,12 +51,11 @@ ...@@ -51,12 +51,11 @@
String blockedIPs = request.getParameter("blockedIPs"); String blockedIPs = request.getParameter("blockedIPs");
// Get an IQRegisterHandler: // Get an IQRegisterHandler:
IQRegisterHandler regHandler = XMPPServer.getInstance().getIQRegisterHandler(); IQRegisterHandler regHandler = XMPPServer.getInstance().getIQRegisterHandler();
IQAuthHandler authHandler = XMPPServer.getInstance().getIQAuthHandler();
if (save) { if (save) {
regHandler.setInbandRegEnabled(inbandEnabled); regHandler.setInbandRegEnabled(inbandEnabled);
regHandler.setCanChangePassword(canChangePassword); regHandler.setCanChangePassword(canChangePassword);
authHandler.setAllowAnonymous(anonLogin); JiveGlobals.setProperty("xmpp.auth.anonymous", Boolean.toString(anonLogin));
// Build a Map with the allowed IP addresses // Build a Map with the allowed IP addresses
Pattern pattern = Pattern.compile("(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.)" + Pattern pattern = Pattern.compile("(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.)" +
...@@ -100,7 +99,7 @@ ...@@ -100,7 +99,7 @@
// Reset the value of page vars: // Reset the value of page vars:
inbandEnabled = regHandler.isInbandRegEnabled(); inbandEnabled = regHandler.isInbandRegEnabled();
canChangePassword = regHandler.canChangePassword(); canChangePassword = regHandler.canChangePassword();
anonLogin = authHandler.isAnonymousAllowed(); anonLogin = JiveGlobals.getBooleanProperty( "xmpp.auth.anonymous" );
// Encode the allowed IP addresses // Encode the allowed IP addresses
StringBuilder buf = new StringBuilder(); StringBuilder buf = new StringBuilder();
Iterator<String> iter = org.jivesoftware.openfire.session.LocalClientSession.getWhitelistedIPs().iterator(); Iterator<String> iter = org.jivesoftware.openfire.session.LocalClientSession.getWhitelistedIPs().iterator();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment