Fixes PLAIN auth for User providers where the password is not obtainable, but

is verifiable. git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@8669 b35dd754-fafc-0310-a699-88a17e54d16e

Fixes PLAIN auth for User providers where the password is not obtainable, but
is verifiable. git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@8669 b35dd754-fafc-0310-a699-88a17e54d16e
80dea18a · Jay Kline · jay · e0c078a5 · 80dea18a · 80dea18a
Commit 80dea18a authored Jun 29, 2007 by Jay Kline Committed by jay Jun 29, 2007
5 changed files
--- a/src/java/org/jivesoftware/openfire/net/XMPPCallbackHandler.java
+++ b/src/java/org/jivesoftware/openfire/net/XMPPCallbackHandler.java
@@ -12,8 +12,11 @@ package org.jivesoftware.openfire.net;
 import org.jivesoftware.util.Log;
 import org.jivesoftware.openfire.auth.AuthFactory;
+import org.jivesoftware.openfire.auth.AuthToken;
 import org.jivesoftware.openfire.auth.AuthorizationManager;
 import org.jivesoftware.openfire.user.UserNotFoundException;
+import org.jivesoftware.openfire.auth.UnauthorizedException;
+import org.jivesoftware.openfire.sasl.VerifyPasswordCallback;
 import javax.security.auth.callback.*;
 import javax.security.sasl.AuthorizeCallback;
@@ -40,6 +43,7 @@ public class XMPPCallbackHandler implements CallbackHandler {
    public void handle(final Callback[] callbacks)
            throws IOException, UnsupportedCallbackException {
        String realm;
        String name = null;
@@ -70,6 +74,20 @@ public class XMPPCallbackHandler implements CallbackHandler {
                catch (UserNotFoundException e) {
                    throw new IOException(e.toString());
                }
+                catch (UnsupportedOperationException uoe) {
+                    throw new IOException(uoe.toString());
+                }
+            }
+            else if (callbacks[i] instanceof VerifyPasswordCallback) {
+                VerifyPasswordCallback vpcb = (VerifyPasswordCallback) callbacks[i];
+                try {
+                    AuthToken at = AuthFactory.authenticate(name,new String(vpcb.getPassword()));
+                    vpcb.setVerified( (at != null) );
+                }
+                catch (UnauthorizedException e) {
+                    vpcb.setVerified(false);
+                }
            }
            else if (callbacks[i] instanceof AuthorizeCallback) {
                Log.debug("XMPPCallbackHandler: AuthorizeCallback");

--- a/src/java/org/jivesoftware/openfire/sasl/SaslProvider.java
+++ b/src/java/org/jivesoftware/openfire/sasl/SaslProvider.java
+/**
+ * $RCSfile$
+ * $Revision: $
+ * $Date: $
+ *
+ * Copyright (C) 2004 Jive Software. All rights reserved.
+ *
+ * This software is published under the terms of the GNU Public License (GPL),
+ * a copy of which is included in this distribution.
+ */
 package org.jivesoftware.openfire.sasl;
 import java.security.Provider;
+/**
+ * This is the Provider object providing the SaslServerFactory written by Jive Software. 
+ *
+ * @see SaslServerFactoryImpl
+ */
 public class SaslProvider extends Provider {
+    /**
+     * Constructs a the JiveSoftware SASL provider.
+     */
    public SaslProvider() {
        super("JiveSoftware", 1.0, "JiveSoftware SASL provider v1.0, implementing server mechanisms for: PLAIN");
        put("SaslServerFactory.PLAIN", "org.jivesoftware.openfire.sasl.SaslServerFactoryImpl");

--- a/src/java/org/jivesoftware/openfire/sasl/SaslServerFactoryImpl.java
+++ b/src/java/org/jivesoftware/openfire/sasl/SaslServerFactoryImpl.java
+/**
+ * $RCSfile$
+ * $Revision: $
+ * $Date: $
+ *
+ * Copyright (C) 2004 Jive Software. All rights reserved.
+ *
+ * This software is published under the terms of the GNU Public License (GPL),
+ * a copy of which is included in this distribution.
+ */
 package org.jivesoftware.openfire.sasl;
 import java.util.Map;
@@ -7,6 +18,12 @@ import javax.security.sasl.SaslServer;
 import javax.security.sasl.SaslException;
 import com.sun.security.sasl.util.PolicyUtils;
+/**
+ * Server Factory for PLAIN.
+ *
+ * @author Jay Kline
+ */
 public class SaslServerFactoryImpl implements SaslServerFactory {
    private static final String myMechs[] = { "PLAIN" };
@@ -16,6 +33,17 @@ public class SaslServerFactoryImpl implements SaslServerFactory {
    public SaslServerFactoryImpl() {
    }
+    /**
+     * Creates a <code>SaslServer</code> implementing the PLAIN mechanism using the parameters supplied.
+     *
+     * @param mechanism The non-null IANA-registered named of a SASL mechanism. Must be "PLAIN" for this object.
+     * @param protocol The non-null string name of the protocol for which the authentication is being performed (e.g., "ldap").
+     * @param serverName The non-null fully qualified host name of the server to authenticate to.
+     * @param props The possibly null set of properties used to select the SASL mechanism and to configure the authentication exchange of the selected mechanism. 
+     * @param cbh The possibly null callback handler to used by the SASL mechanisms to get further information from the application/library to complete the authentication. 
+     * @return A possibly null SaslServer created using the parameters supplied. If null, this factory cannot produce a SaslServer  using the parameters supplied.
+     * @throws SaslException If cannot create a SaslServer because of an error.
+     */
    public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) throws SaslException {
        if (mechanism.equals(myMechs[PLAIN]) && PolicyUtils.checkPolicy(mechPolicies[PLAIN], props)) {
@@ -27,6 +55,12 @@ public class SaslServerFactoryImpl implements SaslServerFactory {
        return null;
    }
+    /**
+     * Returns an array of names of mechanisms that match the specified mechanism selection policies.
+     * @param props The possibly null set of properties used to specify the security policy of the SASL mechanisms.
+     * @return A non-null array containing a IANA-registered SASL mechanism names.
+     */
    public String[] getMechanismNames(Map<String, ?> props) {
        return PolicyUtils.filterMechs(myMechs, mechPolicies, props);
    }

--- a/src/java/org/jivesoftware/openfire/sasl/SaslServerPlainImpl.java
+++ b/src/java/org/jivesoftware/openfire/sasl/SaslServerPlainImpl.java
+/**
+ * $RCSfile$
+ * $Revision: $
+ * $Date: $
+ *
+ * Copyright (C) 2004 Jive Software. All rights reserved.
+ *
+ * This software is published under the terms of the GNU Public License (GPL),
+ * a copy of which is included in this distribution.
+ */
 package org.jivesoftware.openfire.sasl;
@@ -16,6 +26,18 @@ import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
+/**
+ * Implements the PLAIN server-side mechanism.
+ * (<a href="http://www.ietf.org/rfc/rfc4616.txt">RFC 4616</a>)<br />
+ * <p>
+ * client ----- {authzid, authcid, password} -----> server
+ * </p>
+ * Each paramater sent to the server is seperated by a null character
+ * The authorization ID (authzid) may be empty.
+ *
+ * @author Jay Kline
+ */
 public class SaslServerPlainImpl implements SaslServer {
    private String principal;
@@ -84,16 +106,11 @@ public class SaslServerPlainImpl implements SaslServer {
                }
                password = tokens.nextToken();
                NameCallback ncb = new NameCallback("PLAIN authentication ID: ",principal);
-                PasswordCallback pcb = new PasswordCallback("PLAIN password: ",false);
+                VerifyPasswordCallback vpcb = new VerifyPasswordCallback(password.toCharArray());
-                cbh.handle(new Callback[]{ncb,pcb});
+                cbh.handle(new Callback[]{ncb,vpcb});
-                char correctPassword[] = pcb.getPassword();
-                if (correctPassword == null || correctPassword.length == 0) {
+                if (vpcb.getVerified()) {
-                    aborted = true;
+                    vpcb.clearPassword();
-                    throw new SaslException("PLAIN: username not found: "+principal);
-                }
-                pcb.clearPassword();
-                String s_correctPassword = new String(correctPassword);
-                if (s_correctPassword.equals(password) ) {
                    AuthorizeCallback acb = new AuthorizeCallback(principal,username);
                    cbh.handle(new Callback[]{acb});
                    username = acb.getAuthorizationID();

--- a/src/java/org/jivesoftware/openfire/sasl/VerifyPasswordCallback.java
+++ b/src/java/org/jivesoftware/openfire/sasl/VerifyPasswordCallback.java
+/**
+ * $RCSfile$
+ * $Revision: $
+ * $Date: $
+ *
+ * Copyright (C) 2004 Jive Software. All rights reserved.
+ *
+ * This software is published under the terms of the GNU Public License (GPL),
+ * a copy of which is included in this distribution.
+ */
+package org.jivesoftware.openfire.sasl;
+import javax.security.auth.callback.Callback;
+import java.io.Serializable;
+/**
+ * This callback isused by SaslServer to determine if a password supplied by a 
+ * client is verified.
+ * Under most circumstances the PasswordCallback should be used instead, but its
+ * use requires the underlying sercurity services have access to the stored password
+ * to perform a comparison.
+ * The security service provider instantiate and pass a VerifyPasswordCallback to the
+ * handle method of a CallbackHandler to verify password information.
+ *
+ * @see javax.security.auth.callback.PasswordCallback
+ * @see javax.security.auth.callback.CallbackHandler
+ * @author Jay Kline
+ */
+public class VerifyPasswordCallback implements Callback, Serializable {
+    private static final long serialVersionUID = -6393402725550707836L;
+    private char[] password;
+    private boolean verified;
+    /**
+     * Construct a <code>VerifyPasswordCallback</code>.
+     * @param password the password to verify.
+     */
+    public VerifyPasswordCallback(char[] password) {
+        this.password = (password == null ? null : (char[])password.clone());
+        this.verified = false;
+    }
+    /**
+     * Get the retrieved password.
+     * @return the retrieved password, which may be null.
+     */
+    public char[] getPassword() {
+        return (password == null ? null : (char[])password.clone());
+    }
+    /**
+     * Clear the retrieved password.
+     */
+    public void clearPassword() {
+        if (password != null) {
+            for (int i = 0; i < password.length; i++) {
+                password[i] = ' ';
+            }
+            password = null;
+        }
+    }
+    /**
+     * Indicate if this password is verified.
+     * @param verified true if the password is verified; false otherwise
+     */
+    public void setVerified(boolean verified) {
+        this.verified = verified;
+    }
+    /**
+     * Determines wether the password is verified.
+     * @return true if the password is verified; false otherwise
+     */
+    public boolean getVerified() {
+        return verified;
+    }
+}
\ No newline at end of file