1
0
Fork 0
mirror of https://codeberg.org/Mercury-IM/Smack synced 2024-12-23 04:57:58 +01:00

Don't set SASL authid parameter to username (SMACK-371)

RFC4616 states that if the authorization identity (authzid) parameter is
null, then it is derived from the authentication
identity (authcid). Smack currently sets both, authzid and authcid, to
the username, resulting in auth attempts of

userid\0userid\0password

instead of

userid\0password

Which are different users on most systems (e.g. Kerberos).

We now set only SASLMechanism.authenticationId to username. The
authenticate(String, CallbackHandler) method does now not longer receive
the username, as it's send by the CallbackHandler.
This commit is contained in:
Florian Schmaus 2014-03-02 14:21:21 +01:00
parent f7fc38e1f4
commit a7ec0338bc
5 changed files with 9 additions and 13 deletions

View file

@ -313,7 +313,7 @@ public class BOSHConnection extends Connection {
if (password != null) {
response = saslAuthentication.authenticate(username, password, resource);
} else {
response = saslAuthentication.authenticate(username, resource, config.getCallbackHandler());
response = saslAuthentication.authenticate(resource, config.getCallbackHandler());
}
} else {
throw new XMPPException("No non-anonymous SASL authentication mechanism available");

View file

@ -202,13 +202,12 @@ public class SASLAuthentication {
* The server may assign a full JID with a username or resource different than the requested
* by this method.
*
* @param username the username that is authenticating with the server.
* @param resource the desired resource.
* @param cbh the CallbackHandler used to get information from the user
* @return the full JID provided by the server while binding a resource to the connection.
* @throws XMPPException if an error occures while authenticating.
*/
public String authenticate(String username, String resource, CallbackHandler cbh)
public String authenticate(String resource, CallbackHandler cbh)
throws XMPPException {
// Locate the SASLMechanism to use
String selectedMechanism = null;
@ -229,7 +228,7 @@ public class SASLAuthentication {
// Trigger SASL authentication with the selected mechanism. We use
// connection.getHost() since GSAPI requires the FQDN of the server, which
// may not match the XMPP domain.
currentMechanism.authenticate(username, connection.getHost(), cbh);
currentMechanism.authenticate(connection.getHost(), cbh);
// Wait until SASL negotiation finishes
synchronized (this) {

View file

@ -59,7 +59,7 @@ public class SASLGSSAPIMechanism extends SASLMechanism {
String[] mechanisms = { getName() };
Map<String,String> props = new HashMap<String,String>();
props.put(Sasl.SERVER_AUTH,"TRUE");
sc = Sasl.createSaslClient(mechanisms, username, "xmpp", host, props, cbh);
sc = Sasl.createSaslClient(mechanisms, null, "xmpp", host, props, cbh);
authenticate();
}
@ -78,9 +78,8 @@ public class SASLGSSAPIMechanism extends SASLMechanism {
String[] mechanisms = { getName() };
Map<String,String> props = new HashMap<String, String>();
props.put(Sasl.SERVER_AUTH,"TRUE");
sc = Sasl.createSaslClient(mechanisms, username, "xmpp", host, props, this);
sc = Sasl.createSaslClient(mechanisms, null, "xmpp", host, props, this);
authenticate();
}
}

View file

@ -142,7 +142,7 @@ public abstract class SASLMechanism implements CallbackHandler {
String[] mechanisms = { getName() };
Map<String,String> props = new HashMap<String,String>();
sc = Sasl.createSaslClient(mechanisms, username, "xmpp", serviceName, props, this);
sc = Sasl.createSaslClient(mechanisms, null, "xmpp", serviceName, props, this);
authenticate();
}
@ -150,16 +150,15 @@ public abstract class SASLMechanism implements CallbackHandler {
* Builds and sends the <tt>auth</tt> stanza to the server. The callback handler will handle
* any additional information, such as the authentication ID or realm, if it is needed.
*
* @param username the username of the user being authenticated.
* @param host the hostname where the user account resides.
* @param cbh the CallbackHandler to obtain user information.
* @throws IOException If a network error occures while authenticating.
* @throws XMPPException If a protocol error occurs or the user is not authenticated.
*/
public void authenticate(String username, String host, CallbackHandler cbh) throws IOException, XMPPException {
public void authenticate(String host, CallbackHandler cbh) throws IOException, XMPPException {
String[] mechanisms = { getName() };
Map<String,String> props = new HashMap<String,String>();
sc = Sasl.createSaslClient(mechanisms, username, "xmpp", host, props, cbh);
sc = Sasl.createSaslClient(mechanisms, null, "xmpp", host, props, cbh);
authenticate();
}

View file

@ -235,8 +235,7 @@ public class TCPConnection extends Connection {
response = saslAuthentication.authenticate(username, password, resource);
}
else {
response = saslAuthentication
.authenticate(username, resource, config.getCallbackHandler());
response = saslAuthentication.authenticate(resource, config.getCallbackHandler());
}
} else {
throw new XMPPException("No non-anonymous SASL authentication mechanism available");