From a7ec0338bc95c37774659378c34bb05578db3a19 Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Sun, 2 Mar 2014 14:21:21 +0100 Subject: [PATCH] Don't set SASL authid parameter to username (SMACK-371) RFC4616 states that if the authorization identity (authzid) parameter is null, then it is derived from the authentication identity (authcid). Smack currently sets both, authzid and authcid, to the username, resulting in auth attempts of userid\0userid\0password instead of userid\0password Which are different users on most systems (e.g. Kerberos). We now set only SASLMechanism.authenticationId to username. The authenticate(String, CallbackHandler) method does now not longer receive the username, as it's send by the CallbackHandler. --- .../main/java/org/jivesoftware/smack/BOSHConnection.java | 2 +- .../java/org/jivesoftware/smack/SASLAuthentication.java | 5 ++--- .../org/jivesoftware/smack/sasl/SASLGSSAPIMechanism.java | 5 ++--- .../java/org/jivesoftware/smack/sasl/SASLMechanism.java | 7 +++---- .../main/java/org/jivesoftware/smack/TCPConnection.java | 3 +-- 5 files changed, 9 insertions(+), 13 deletions(-) diff --git a/bosh/src/main/java/org/jivesoftware/smack/BOSHConnection.java b/bosh/src/main/java/org/jivesoftware/smack/BOSHConnection.java index 18ab2d7be..52c3dd108 100644 --- a/bosh/src/main/java/org/jivesoftware/smack/BOSHConnection.java +++ b/bosh/src/main/java/org/jivesoftware/smack/BOSHConnection.java @@ -313,7 +313,7 @@ public class BOSHConnection extends Connection { if (password != null) { response = saslAuthentication.authenticate(username, password, resource); } else { - response = saslAuthentication.authenticate(username, resource, config.getCallbackHandler()); + response = saslAuthentication.authenticate(resource, config.getCallbackHandler()); } } else { throw new XMPPException("No non-anonymous SASL authentication mechanism available"); diff --git a/core/src/main/java/org/jivesoftware/smack/SASLAuthentication.java b/core/src/main/java/org/jivesoftware/smack/SASLAuthentication.java index bd6be9f78..0665521c1 100644 --- a/core/src/main/java/org/jivesoftware/smack/SASLAuthentication.java +++ b/core/src/main/java/org/jivesoftware/smack/SASLAuthentication.java @@ -202,13 +202,12 @@ public class SASLAuthentication { * The server may assign a full JID with a username or resource different than the requested * by this method. * - * @param username the username that is authenticating with the server. * @param resource the desired resource. * @param cbh the CallbackHandler used to get information from the user * @return the full JID provided by the server while binding a resource to the connection. * @throws XMPPException if an error occures while authenticating. */ - public String authenticate(String username, String resource, CallbackHandler cbh) + public String authenticate(String resource, CallbackHandler cbh) throws XMPPException { // Locate the SASLMechanism to use String selectedMechanism = null; @@ -229,7 +228,7 @@ public class SASLAuthentication { // Trigger SASL authentication with the selected mechanism. We use // connection.getHost() since GSAPI requires the FQDN of the server, which // may not match the XMPP domain. - currentMechanism.authenticate(username, connection.getHost(), cbh); + currentMechanism.authenticate(connection.getHost(), cbh); // Wait until SASL negotiation finishes synchronized (this) { diff --git a/core/src/main/java/org/jivesoftware/smack/sasl/SASLGSSAPIMechanism.java b/core/src/main/java/org/jivesoftware/smack/sasl/SASLGSSAPIMechanism.java index 78f0fac10..658b14b6d 100644 --- a/core/src/main/java/org/jivesoftware/smack/sasl/SASLGSSAPIMechanism.java +++ b/core/src/main/java/org/jivesoftware/smack/sasl/SASLGSSAPIMechanism.java @@ -59,7 +59,7 @@ public class SASLGSSAPIMechanism extends SASLMechanism { String[] mechanisms = { getName() }; Map props = new HashMap(); props.put(Sasl.SERVER_AUTH,"TRUE"); - sc = Sasl.createSaslClient(mechanisms, username, "xmpp", host, props, cbh); + sc = Sasl.createSaslClient(mechanisms, null, "xmpp", host, props, cbh); authenticate(); } @@ -78,9 +78,8 @@ public class SASLGSSAPIMechanism extends SASLMechanism { String[] mechanisms = { getName() }; Map props = new HashMap(); props.put(Sasl.SERVER_AUTH,"TRUE"); - sc = Sasl.createSaslClient(mechanisms, username, "xmpp", host, props, this); + sc = Sasl.createSaslClient(mechanisms, null, "xmpp", host, props, this); authenticate(); } - } diff --git a/core/src/main/java/org/jivesoftware/smack/sasl/SASLMechanism.java b/core/src/main/java/org/jivesoftware/smack/sasl/SASLMechanism.java index 6a63f1cc8..e46512d95 100644 --- a/core/src/main/java/org/jivesoftware/smack/sasl/SASLMechanism.java +++ b/core/src/main/java/org/jivesoftware/smack/sasl/SASLMechanism.java @@ -142,7 +142,7 @@ public abstract class SASLMechanism implements CallbackHandler { String[] mechanisms = { getName() }; Map props = new HashMap(); - sc = Sasl.createSaslClient(mechanisms, username, "xmpp", serviceName, props, this); + sc = Sasl.createSaslClient(mechanisms, null, "xmpp", serviceName, props, this); authenticate(); } @@ -150,16 +150,15 @@ public abstract class SASLMechanism implements CallbackHandler { * Builds and sends the auth stanza to the server. The callback handler will handle * any additional information, such as the authentication ID or realm, if it is needed. * - * @param username the username of the user being authenticated. * @param host the hostname where the user account resides. * @param cbh the CallbackHandler to obtain user information. * @throws IOException If a network error occures while authenticating. * @throws XMPPException If a protocol error occurs or the user is not authenticated. */ - public void authenticate(String username, String host, CallbackHandler cbh) throws IOException, XMPPException { + public void authenticate(String host, CallbackHandler cbh) throws IOException, XMPPException { String[] mechanisms = { getName() }; Map props = new HashMap(); - sc = Sasl.createSaslClient(mechanisms, username, "xmpp", host, props, cbh); + sc = Sasl.createSaslClient(mechanisms, null, "xmpp", host, props, cbh); authenticate(); } diff --git a/tcp/src/main/java/org/jivesoftware/smack/TCPConnection.java b/tcp/src/main/java/org/jivesoftware/smack/TCPConnection.java index 2431200ed..46aa45555 100644 --- a/tcp/src/main/java/org/jivesoftware/smack/TCPConnection.java +++ b/tcp/src/main/java/org/jivesoftware/smack/TCPConnection.java @@ -235,8 +235,7 @@ public class TCPConnection extends Connection { response = saslAuthentication.authenticate(username, password, resource); } else { - response = saslAuthentication - .authenticate(username, resource, config.getCallbackHandler()); + response = saslAuthentication.authenticate(resource, config.getCallbackHandler()); } } else { throw new XMPPException("No non-anonymous SASL authentication mechanism available");