Commit 7d4fb62e authored by Dave Cridland's avatar Dave Cridland

Add Proxy Authorization to DefaultAuthorizationPolicy

If the property sasl.proxyAuth is set to true, then administrative users can
authorize as any user on the system. This is convenient for testing, and to
manipulate other users' accounts.

An admin can, of course, change passwords anyway, so this doesn't reduce
security much, but is off by default in any case.

Testing is problematic since I can't actually find a client which allows this.
parent 9596d89a
...@@ -23,6 +23,7 @@ package org.jivesoftware.openfire.auth; ...@@ -23,6 +23,7 @@ package org.jivesoftware.openfire.auth;
import java.util.StringTokenizer; import java.util.StringTokenizer;
import java.util.Vector; import java.util.Vector;
import org.jivesoftware.openfire.admin.AdminManager;
import org.jivesoftware.util.JiveGlobals; import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
...@@ -62,9 +63,11 @@ public class DefaultAuthorizationPolicy implements AuthorizationPolicy { ...@@ -62,9 +63,11 @@ public class DefaultAuthorizationPolicy implements AuthorizationPolicy {
private static final Logger Log = LoggerFactory.getLogger(DefaultAuthorizationPolicy.class); private static final Logger Log = LoggerFactory.getLogger(DefaultAuthorizationPolicy.class);
private Vector<String> approvedRealms; private Vector<String> approvedRealms;
private boolean proxyAuth;
public DefaultAuthorizationPolicy() { public DefaultAuthorizationPolicy() {
approvedRealms = new Vector<String>(); approvedRealms = new Vector<String>();
proxyAuth = false;
String realmList = JiveGlobals.getProperty("sasl.approvedRealms"); String realmList = JiveGlobals.getProperty("sasl.approvedRealms");
if(realmList != null) { if(realmList != null) {
...@@ -73,6 +76,7 @@ public class DefaultAuthorizationPolicy implements AuthorizationPolicy { ...@@ -73,6 +76,7 @@ public class DefaultAuthorizationPolicy implements AuthorizationPolicy {
approvedRealms.add(st.nextToken()); approvedRealms.add(st.nextToken());
} }
} }
proxyAuth = JiveGlobals.getBooleanProperty("sasl.proxyAuth", false);
} }
/** /**
...@@ -100,18 +104,20 @@ public class DefaultAuthorizationPolicy implements AuthorizationPolicy { ...@@ -100,18 +104,20 @@ public class DefaultAuthorizationPolicy implements AuthorizationPolicy {
authenRealm = authenID.substring((authenID.lastIndexOf("@")+1)); authenRealm = authenID.substring((authenID.lastIndexOf("@")+1));
} }
if(!userUser.equals(authenUser)) { if (!proxyAuth || !AdminManager.getInstance().isUserAdmin(authenUser, true)) {
//for this policy the user portion of both must match, so lets short circut here if we can if(!userUser.equals(authenUser)) {
if(JiveGlobals.getBooleanProperty("xmpp.auth.ignorecase",true)) { //for this policy the user portion of both must match, so lets short circut here if we can
if(!userUser.toLowerCase().equals(authenUser.toLowerCase())){ if(JiveGlobals.getBooleanProperty("xmpp.auth.ignorecase",true)) {
if (Log.isDebugEnabled()) { if(!userUser.toLowerCase().equals(authenUser.toLowerCase())){
Log.debug("DefaultAuthorizationPolicy: usernames don't match ("+userUser+" "+authenUser+")"); if (Log.isDebugEnabled()) {
Log.debug("DefaultAuthorizationPolicy: usernames don't match ("+userUser+" "+authenUser+")");
}
return false;
} }
} else {
Log.debug("DefaultAuthorizationPolicy: usernames don't match ("+userUser+" "+authenUser+")");
return false; return false;
} }
} else {
Log.debug("DefaultAuthorizationPolicy: usernames don't match ("+userUser+" "+authenUser+")");
return false;
} }
} }
Log.debug("DefaultAuthorizationPolicy: Checking authenID realm"); Log.debug("DefaultAuthorizationPolicy: Checking authenID realm");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment