Commit 80dea18a authored by Jay Kline's avatar Jay Kline Committed by jay

Fixes PLAIN auth for User providers where the password is not obtainable, but

is verifiable. 


git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@8669 b35dd754-fafc-0310-a699-88a17e54d16e
parent e0c078a5
......@@ -12,8 +12,11 @@ package org.jivesoftware.openfire.net;
import org.jivesoftware.util.Log;
import org.jivesoftware.openfire.auth.AuthFactory;
import org.jivesoftware.openfire.auth.AuthToken;
import org.jivesoftware.openfire.auth.AuthorizationManager;
import org.jivesoftware.openfire.user.UserNotFoundException;
import org.jivesoftware.openfire.auth.UnauthorizedException;
import org.jivesoftware.openfire.sasl.VerifyPasswordCallback;
import javax.security.auth.callback.*;
import javax.security.sasl.AuthorizeCallback;
......@@ -40,6 +43,7 @@ public class XMPPCallbackHandler implements CallbackHandler {
public void handle(final Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
String realm;
String name = null;
......@@ -70,6 +74,20 @@ public class XMPPCallbackHandler implements CallbackHandler {
catch (UserNotFoundException e) {
throw new IOException(e.toString());
}
catch (UnsupportedOperationException uoe) {
throw new IOException(uoe.toString());
}
}
else if (callbacks[i] instanceof VerifyPasswordCallback) {
VerifyPasswordCallback vpcb = (VerifyPasswordCallback) callbacks[i];
try {
AuthToken at = AuthFactory.authenticate(name,new String(vpcb.getPassword()));
vpcb.setVerified( (at != null) );
}
catch (UnauthorizedException e) {
vpcb.setVerified(false);
}
}
else if (callbacks[i] instanceof AuthorizeCallback) {
Log.debug("XMPPCallbackHandler: AuthorizeCallback");
......
/**
* $RCSfile$
* $Revision: $
* $Date: $
*
* Copyright (C) 2004 Jive Software. All rights reserved.
*
* This software is published under the terms of the GNU Public License (GPL),
* a copy of which is included in this distribution.
*/
package org.jivesoftware.openfire.sasl;
import java.security.Provider;
/**
* This is the Provider object providing the SaslServerFactory written by Jive Software.
*
* @see SaslServerFactoryImpl
*/
public class SaslProvider extends Provider {
/**
* Constructs a the JiveSoftware SASL provider.
*/
public SaslProvider() {
super("JiveSoftware", 1.0, "JiveSoftware SASL provider v1.0, implementing server mechanisms for: PLAIN");
put("SaslServerFactory.PLAIN", "org.jivesoftware.openfire.sasl.SaslServerFactoryImpl");
......
/**
* $RCSfile$
* $Revision: $
* $Date: $
*
* Copyright (C) 2004 Jive Software. All rights reserved.
*
* This software is published under the terms of the GNU Public License (GPL),
* a copy of which is included in this distribution.
*/
package org.jivesoftware.openfire.sasl;
import java.util.Map;
......@@ -7,6 +18,12 @@ import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslException;
import com.sun.security.sasl.util.PolicyUtils;
/**
* Server Factory for PLAIN.
*
* @author Jay Kline
*/
public class SaslServerFactoryImpl implements SaslServerFactory {
private static final String myMechs[] = { "PLAIN" };
......@@ -16,6 +33,17 @@ public class SaslServerFactoryImpl implements SaslServerFactory {
public SaslServerFactoryImpl() {
}
/**
* Creates a <code>SaslServer</code> implementing the PLAIN mechanism using the parameters supplied.
*
* @param mechanism The non-null IANA-registered named of a SASL mechanism. Must be "PLAIN" for this object.
* @param protocol The non-null string name of the protocol for which the authentication is being performed (e.g., "ldap").
* @param serverName The non-null fully qualified host name of the server to authenticate to.
* @param props The possibly null set of properties used to select the SASL mechanism and to configure the authentication exchange of the selected mechanism.
* @param cbh The possibly null callback handler to used by the SASL mechanisms to get further information from the application/library to complete the authentication.
* @return A possibly null SaslServer created using the parameters supplied. If null, this factory cannot produce a SaslServer using the parameters supplied.
* @throws SaslException If cannot create a SaslServer because of an error.
*/
public SaslServer createSaslServer(String mechanism, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) throws SaslException {
if (mechanism.equals(myMechs[PLAIN]) && PolicyUtils.checkPolicy(mechPolicies[PLAIN], props)) {
......@@ -27,6 +55,12 @@ public class SaslServerFactoryImpl implements SaslServerFactory {
return null;
}
/**
* Returns an array of names of mechanisms that match the specified mechanism selection policies.
* @param props The possibly null set of properties used to specify the security policy of the SASL mechanisms.
* @return A non-null array containing a IANA-registered SASL mechanism names.
*/
public String[] getMechanismNames(Map<String, ?> props) {
return PolicyUtils.filterMechs(myMechs, mechPolicies, props);
}
......
/**
* $RCSfile$
* $Revision: $
* $Date: $
*
* Copyright (C) 2004 Jive Software. All rights reserved.
*
* This software is published under the terms of the GNU Public License (GPL),
* a copy of which is included in this distribution.
*/
package org.jivesoftware.openfire.sasl;
......@@ -16,6 +26,18 @@ import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
/**
* Implements the PLAIN server-side mechanism.
* (<a href="http://www.ietf.org/rfc/rfc4616.txt">RFC 4616</a>)<br />
* <p>
* client ----- {authzid, authcid, password} -----> server
* </p>
* Each paramater sent to the server is seperated by a null character
* The authorization ID (authzid) may be empty.
*
* @author Jay Kline
*/
public class SaslServerPlainImpl implements SaslServer {
private String principal;
......@@ -84,16 +106,11 @@ public class SaslServerPlainImpl implements SaslServer {
}
password = tokens.nextToken();
NameCallback ncb = new NameCallback("PLAIN authentication ID: ",principal);
PasswordCallback pcb = new PasswordCallback("PLAIN password: ",false);
cbh.handle(new Callback[]{ncb,pcb});
char correctPassword[] = pcb.getPassword();
if (correctPassword == null || correctPassword.length == 0) {
aborted = true;
throw new SaslException("PLAIN: username not found: "+principal);
}
pcb.clearPassword();
String s_correctPassword = new String(correctPassword);
if (s_correctPassword.equals(password) ) {
VerifyPasswordCallback vpcb = new VerifyPasswordCallback(password.toCharArray());
cbh.handle(new Callback[]{ncb,vpcb});
if (vpcb.getVerified()) {
vpcb.clearPassword();
AuthorizeCallback acb = new AuthorizeCallback(principal,username);
cbh.handle(new Callback[]{acb});
username = acb.getAuthorizationID();
......
/**
* $RCSfile$
* $Revision: $
* $Date: $
*
* Copyright (C) 2004 Jive Software. All rights reserved.
*
* This software is published under the terms of the GNU Public License (GPL),
* a copy of which is included in this distribution.
*/
package org.jivesoftware.openfire.sasl;
import javax.security.auth.callback.Callback;
import java.io.Serializable;
/**
* This callback isused by SaslServer to determine if a password supplied by a
* client is verified.
* Under most circumstances the PasswordCallback should be used instead, but its
* use requires the underlying sercurity services have access to the stored password
* to perform a comparison.
* The security service provider instantiate and pass a VerifyPasswordCallback to the
* handle method of a CallbackHandler to verify password information.
*
* @see javax.security.auth.callback.PasswordCallback
* @see javax.security.auth.callback.CallbackHandler
* @author Jay Kline
*/
public class VerifyPasswordCallback implements Callback, Serializable {
private static final long serialVersionUID = -6393402725550707836L;
private char[] password;
private boolean verified;
/**
* Construct a <code>VerifyPasswordCallback</code>.
* @param password the password to verify.
*/
public VerifyPasswordCallback(char[] password) {
this.password = (password == null ? null : (char[])password.clone());
this.verified = false;
}
/**
* Get the retrieved password.
* @return the retrieved password, which may be null.
*/
public char[] getPassword() {
return (password == null ? null : (char[])password.clone());
}
/**
* Clear the retrieved password.
*/
public void clearPassword() {
if (password != null) {
for (int i = 0; i < password.length; i++) {
password[i] = ' ';
}
password = null;
}
}
/**
* Indicate if this password is verified.
* @param verified true if the password is verified; false otherwise
*/
public void setVerified(boolean verified) {
this.verified = verified;
}
/**
* Determines wether the password is verified.
* @return true if the password is verified; false otherwise
*/
public boolean getVerified() {
return verified;
}
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment