/** * * Copyright 2003-2007 Jive Software. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.jivesoftware.smack; import org.jivesoftware.smack.SmackException.NoResponseException; import org.jivesoftware.smack.SmackException.NotConnectedException; import org.jivesoftware.smack.SmackException.ResourceBindingNotOfferedException; import org.jivesoftware.smack.XMPPException.XMPPErrorException; import org.jivesoftware.smack.packet.Packet; import org.jivesoftware.smack.sasl.SASLAnonymous; import org.jivesoftware.smack.sasl.SASLCramMD5Mechanism; import org.jivesoftware.smack.sasl.SASLDigestMD5Mechanism; import org.jivesoftware.smack.sasl.SASLErrorException; import org.jivesoftware.smack.sasl.SASLExternalMechanism; import org.jivesoftware.smack.sasl.SASLGSSAPIMechanism; import org.jivesoftware.smack.sasl.SASLMechanism; import org.jivesoftware.smack.sasl.SASLMechanism.SASLFailure; import org.jivesoftware.smack.sasl.SASLPlainMechanism; import javax.security.auth.callback.CallbackHandler; import javax.security.sasl.SaslException; import java.io.IOException; import java.lang.reflect.Constructor; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.Map; /** *
This class is responsible authenticating the user using SASL, binding the resource * to the connection and establishing a session with the server.
* *Once TLS has been negotiated (i.e. the connection has been secured) it is possible to * register with the server, authenticate using Non-SASL or authenticate using SASL. If the * server supports SASL then Smack will first try to authenticate using SASL. But if that * fails then Non-SASL will be tried.
* *The server may support many SASL mechanisms to use for authenticating. Out of the box * Smack provides several SASL mechanisms, but it is possible to register new SASL Mechanisms. Use * {@link #registerSASLMechanism(String, Class)} to register a new mechanisms. A registered * mechanism wont be used until {@link #supportSASLMechanism(String, int)} is called. By default, * the list of supported SASL mechanisms is determined from the {@link SmackConfiguration}.
* *Once the user has been authenticated with SASL, it is necessary to bind a resource for * the connection. If no resource is passed in {@link #authenticate(String, String, String)} * then the server will assign a resource for the connection. In case a resource is passed * then the server will receive the desired resource but may assign a modified resource for * the connection.
* *Once a resource has been binded and if the server supports sessions then Smack will establish * a session so that instant messaging and presence functionalities may be used.
* * @see org.jivesoftware.smack.sasl.SASLMechanism * * @author Gaston Dombiak * @author Jay Kline */ public class SASLAuthentication { private static Map* * The server may assign a full JID with a username or resource different than the requested * by this method. * * @param resource the desired resource. * @param cbh the CallbackHandler used to get information from the user * @throws IOException * @throws XMPPErrorException * @throws NoResponseException * @throws SASLErrorException * @throws ResourceBindingNotOfferedException * @throws NotConnectedException */ public void authenticate(String resource, CallbackHandler cbh) throws IOException, NoResponseException, XMPPErrorException, SASLErrorException, ResourceBindingNotOfferedException, NotConnectedException { // Locate the SASLMechanism to use String selectedMechanism = null; for (String mechanism : mechanismsPreferences) { if (implementedMechanisms.containsKey(mechanism) && serverMechanisms.contains(mechanism)) { selectedMechanism = mechanism; break; } } if (selectedMechanism != null) { // A SASL mechanism was found. Authenticate using the selected mechanism and then // proceed to bind a resource Class extends SASLMechanism> mechanismClass = implementedMechanisms.get(selectedMechanism); Constructor extends SASLMechanism> constructor; try { constructor = mechanismClass.getConstructor(SASLAuthentication.class); currentMechanism = constructor.newInstance(this); } catch (Exception e) { throw new SaslException("Exception when creating the SASLAuthentication instance", e); } synchronized (this) { // Trigger SASL authentication with the selected mechanism. We use // connection.getHost() since GSAPI requires the FQDN of the server, which // may not match the XMPP domain. currentMechanism.authenticate(connection.getHost(), cbh); try { // Wait until SASL negotiation finishes wait(connection.getPacketReplyTimeout()); } catch (InterruptedException e) { // Ignore } } if (saslFailure != null) { // SASL authentication failed and the server may have closed the connection // so throw an exception throw new SASLErrorException(selectedMechanism, saslFailure); } if (!saslNegotiated) { throw new NoResponseException(); } } else { throw new SaslException( "SASL Authentication failed. No known authentication mechanisims."); } } /** * Performs SASL authentication of the specified user. If SASL authentication was successful * then resource binding and session establishment will be performed. This method will return * the full JID provided by the server while binding a resource to the connection.
* * The server may assign a full JID with a username or resource different than the requested * by this method. * * @param username the username that is authenticating with the server. * @param password the password to send to the server. * @param resource the desired resource. * @throws XMPPErrorException * @throws SASLErrorException * @throws IOException * @throws SaslException * @throws SmackException */ public void authenticate(String username, String password, String resource) throws XMPPErrorException, SASLErrorException, SaslException, IOException, SmackException { // Locate the SASLMechanism to use String selectedMechanism = null; for (String mechanism : mechanismsPreferences) { if (implementedMechanisms.containsKey(mechanism) && serverMechanisms.contains(mechanism)) { selectedMechanism = mechanism; break; } } if (selectedMechanism != null) { // A SASL mechanism was found. Authenticate using the selected mechanism and then // proceed to bind a resource Class extends SASLMechanism> mechanismClass = implementedMechanisms.get(selectedMechanism); try { Constructor extends SASLMechanism> constructor = mechanismClass.getConstructor(SASLAuthentication.class); currentMechanism = constructor.newInstance(this); } catch (Exception e) { throw new SaslException("Exception when creating the SASLAuthentication instance", e); } synchronized (this) { // Trigger SASL authentication with the selected mechanism. We use // connection.getHost() since GSAPI requires the FQDN of the server, which // may not match the XMPP domain. // The serviceName is basically the value that XMPP server sends to the client as // being // the location of the XMPP service we are trying to connect to. This should have // the // format: host ["/" serv-name ] as per RFC-2831 guidelines String serviceName = connection.getServiceName(); currentMechanism.authenticate(username, connection.getHost(), serviceName, password); try { // Wait until SASL negotiation finishes wait(connection.getPacketReplyTimeout()); } catch (InterruptedException e) { // Ignore } } if (saslFailure != null) { // SASL authentication failed and the server may have closed the connection // so throw an exception throw new SASLErrorException(selectedMechanism, saslFailure); } if (!saslNegotiated) { throw new NoResponseException(); } } else { throw new SaslException( "SASL Authentication failed. No known authentication mechanisims."); } } /** * Performs ANONYMOUS SASL authentication. If SASL authentication was successful * then resource binding and session establishment will be performed. This method will return * the full JID provided by the server while binding a resource to the connection.
*
* The server will assign a full JID with a randomly generated resource and possibly with
* no username.
*
* @throws SASLErrorException
* @throws IOException
* @throws SaslException
* @throws XMPPErrorException if an error occures while authenticating.
* @throws SmackException if there was no response from the server.
*/
public void authenticateAnonymously() throws SASLErrorException, SaslException, IOException,
SmackException, XMPPErrorException {
currentMechanism = new SASLAnonymous(this);
// Wait until SASL negotiation finishes
synchronized (this) {
currentMechanism.authenticate(null, null, null, "");
try {
wait(connection.getPacketReplyTimeout());
}
catch (InterruptedException e) {
// Ignore
}
}
if (saslFailure != null) {
// SASL authentication failed and the server may have closed the connection
// so throw an exception
throw new SASLErrorException(currentMechanism.toString(), saslFailure);
}
if (!saslNegotiated) {
throw new NoResponseException();
}
}
/**
* Sets the available SASL mechanism reported by the server. The server will report the
* available SASL mechanism once the TLS negotiation was successful. This information is
* stored and will be used when doing the authentication for logging in the user.
*
* @param mechanisms collection of strings with the available SASL mechanism reported
* by the server.
*/
public void setAvailableSASLMethods(Collection