Examples with AuthToken org.jivesoftware.openfire.auth.AuthToken used on opensource projects

Example 1 with AuthToken

use of org.jivesoftware.openfire.auth.AuthToken in project Openfire by igniterealtime.

the class OpenfireLoginService method login.

public UserIdentity login(String userName, Object credential) {
    UserIdentity identity = null;
    if (identities.containsKey(userName)) {
        identity = identities.get(userName);
        if (authTokens.containsKey(userName) == false) {
            Log.debug("UserIdentity login " + userName + " ");
            try {
                if (AdminManager.getInstance().isUserAdmin(userName, true)) {
                    AuthToken authToken = AuthFactory.authenticate(userName, (String) credential);
                    authTokens.put(userName, authToken);
                } else {
                    Log.error("access denied, not admin user " + userName);
                    return null;
                }
            } catch (UnauthorizedException e) {
                Log.error("access denied, bad password " + userName);
                return null;
            } catch (Exception e) {
                Log.error("access denied " + userName);
                return null;
            }
        }
    } else {
        Log.debug("UserIdentity login " + userName + " ");
        try {
            userManager.getUser(userName);
        } catch (UserNotFoundException e) {
            //Log.error( "user not found " + userName, e );
            return null;
        }
        try {
            if (AdminManager.getInstance().isUserAdmin(userName, true)) {
                AuthToken authToken = AuthFactory.authenticate(userName, (String) credential);
                authTokens.put(userName, authToken);
            } else {
                Log.error("access denied, not admin user " + userName);
                return null;
            }
        } catch (UnauthorizedException e) {
            Log.error("access denied, bad password " + userName);
            return null;
        } catch (Exception e) {
            Log.error("access denied " + userName);
            return null;
        }
        Principal userPrincipal = new KnownUser(userName, credential);
        Subject subject = new Subject();
        subject.getPrincipals().add(userPrincipal);
        subject.getPrivateCredentials().add(credential);
        subject.getPrincipals().add(new RolePrincipal("jmxweb"));
        subject.setReadOnly();
        identity = _identityService.newUserIdentity(subject, userPrincipal, new String[] { "jmxweb" });
        identities.put(userName, identity);
    }
    return identity;
}

Example 2 with AuthToken

use of org.jivesoftware.openfire.auth.AuthToken in project Openfire by igniterealtime.

the class IQAuthHandler method authenticate.

/**
     * Authenticates a user with a username, token, and digest and returns an AuthToken.
     * The digest should be generated using the {@link AuthFactory#createDigest(String, String)} method.
     * If the username and digest do not match the record of any user in the system, the
     * method throws an UnauthorizedException.
     *
     * @param username the username.
     * @param token the token that was used with plain-text password to generate the digest.
     * @param digest the digest generated from plain-text password and unique token.
     * @return an AuthToken token if the username and digest are correct for the user's
     *      password and given token.
     * @throws UnauthorizedException if the username and password do not match any
     *      existing user or the account is locked out.
     */
public static AuthToken authenticate(String username, String token, String digest) throws UnauthorizedException, ConnectionException, InternalUnauthenticatedException {
    if (username == null || token == null || digest == null) {
        throw new UnauthorizedException();
    }
    if (LockOutManager.getInstance().isAccountDisabled(username)) {
        LockOutManager.getInstance().recordFailedLogin(username);
        throw new UnauthorizedException();
    }
    username = username.trim().toLowerCase();
    if (username.contains("@")) {
        // Check that the specified domain matches the server's domain
        int index = username.indexOf("@");
        String domain = username.substring(index + 1);
        if (domain.equals(XMPPServer.getInstance().getServerInfo().getXMPPDomain())) {
            username = username.substring(0, index);
        } else {
            // Unknown domain. Return authentication failed.
            throw new UnauthorizedException();
        }
    }
    try {
        String password = AuthFactory.getPassword(username);
        String anticipatedDigest = AuthFactory.createDigest(token, password);
        if (!digest.equalsIgnoreCase(anticipatedDigest)) {
            throw new UnauthorizedException();
        }
    } catch (UserNotFoundException unfe) {
        throw new UnauthorizedException();
    }
    // Got this far, so the user must be authorized.
    return new AuthToken(username);
}

Example 3 with AuthToken

use of org.jivesoftware.openfire.auth.AuthToken in project Openfire by igniterealtime.

the class SessionManager method removeSession.

/**
     * Removes a session.
     *
     * @param session the session.
     * @return true if the requested session was successfully removed.
     */
public boolean removeSession(LocalClientSession session) {
    // is shutting down the serverName will be null.
    if (session == null || serverName == null) {
        return false;
    }
    AuthToken authToken = session.getAuthToken();
    // Consider session anonymous (for this matter) if we are closing a session that never authenticated
    boolean anonymous = authToken == null || authToken.isAnonymous();
    return removeSession(session, session.getAddress(), anonymous, false);
}

Example 4 with AuthToken

use of org.jivesoftware.openfire.auth.AuthToken in project Openfire by igniterealtime.

the class IQBindHandler method handleIQ.

@Override
public IQ handleIQ(IQ packet) throws UnauthorizedException {
    LocalClientSession session = (LocalClientSession) sessionManager.getSession(packet.getFrom());
    // If no session was found then answer an error (if possible)
    if (session == null) {
        Log.error("Error during resource binding. Session not found in " + sessionManager.getPreAuthenticatedKeys() + " for key " + packet.getFrom());
        // This error packet will probably won't make it through
        IQ reply = IQ.createResultIQ(packet);
        reply.setChildElement(packet.getChildElement().createCopy());
        reply.setError(PacketError.Condition.internal_server_error);
        return reply;
    }
    IQ reply = IQ.createResultIQ(packet);
    Element child = reply.setChildElement("bind", "urn:ietf:params:xml:ns:xmpp-bind");
    // Check if the client specified a desired resource
    String resource = packet.getChildElement().elementTextTrim("resource");
    if (resource == null || resource.length() == 0) {
        // None was defined so use the random generated resource
        resource = session.getAddress().getResource();
    } else {
        // Check that the desired resource is valid
        try {
            resource = JID.resourceprep(resource);
        } catch (StringprepException e) {
            reply.setChildElement(packet.getChildElement().createCopy());
            reply.setError(PacketError.Condition.jid_malformed);
            // Send the error directly since a route does not exist at this point.
            session.process(reply);
            return null;
        }
    }
    // Get the token that was generated during the SASL authentication
    AuthToken authToken = session.getAuthToken();
    if (authToken == null) {
        // User must be authenticated before binding a resource
        reply.setChildElement(packet.getChildElement().createCopy());
        reply.setError(PacketError.Condition.not_authorized);
        // Send the error directly since a route does not exist at this point.
        session.process(reply);
        return reply;
    }
    if (authToken.isAnonymous()) {
        // User used ANONYMOUS SASL so initialize the session as an anonymous login
        session.setAnonymousAuth();
    } else {
        String username = authToken.getUsername().toLowerCase();
        // If a session already exists with the requested JID, then check to see
        // if we should kick it off or refuse the new connection
        ClientSession oldSession = routingTable.getClientRoute(new JID(username, serverName, resource, true));
        if (oldSession != null) {
            try {
                int conflictLimit = sessionManager.getConflictKickLimit();
                if (conflictLimit == SessionManager.NEVER_KICK) {
                    reply.setChildElement(packet.getChildElement().createCopy());
                    reply.setError(PacketError.Condition.conflict);
                    // Send the error directly since a route does not exist at this point.
                    session.process(reply);
                    return null;
                }
                int conflictCount = oldSession.incrementConflictCount();
                if (conflictCount > conflictLimit) {
                    // Kick out the old connection that is conflicting with the new one
                    StreamError error = new StreamError(StreamError.Condition.conflict);
                    oldSession.deliverRawText(error.toXML());
                    oldSession.close();
                } else {
                    reply.setChildElement(packet.getChildElement().createCopy());
                    reply.setError(PacketError.Condition.conflict);
                    // Send the error directly since a route does not exist at this point.
                    session.process(reply);
                    return null;
                }
            } catch (Exception e) {
                Log.error("Error during login", e);
            }
        }
        // If the connection was not refused due to conflict, log the user in
        session.setAuthToken(authToken, resource);
    }
    child.addElement("jid").setText(session.getAddress().toString());
    // Send the response directly since a route does not exist at this point.
    session.process(reply);
    // After the client has been informed, inform all listeners as well.
    SessionEventDispatcher.dispatchEvent(session, SessionEventDispatcher.EventType.resource_bound);
    return null;
}

Example 5 with AuthToken

use of org.jivesoftware.openfire.auth.AuthToken in project Openfire by igniterealtime.

the class SASLAuthentication method authenticationSuccessful.

private static void authenticationSuccessful(LocalSession session, String username, byte[] successData) {
    if (username != null && LockOutManager.getInstance().isAccountDisabled(username)) {
        // Interception!  This person is locked out, fail instead!
        LockOutManager.getInstance().recordFailedLogin(username);
        authenticationFailed(session, Failure.ACCOUNT_DISABLED);
        return;
    }
    sendElement(session, "success", successData);
    // We only support SASL for c2s
    if (session instanceof ClientSession) {
        ((LocalClientSession) session).setAuthToken(new AuthToken(username));
    } else if (session instanceof IncomingServerSession) {
        String hostname = username;
        // Add the validated domain as a valid domain. The remote server can
        // now send packets from this address
        ((LocalIncomingServerSession) session).addValidatedDomain(hostname);
        Log.info("Inbound Server {} authenticated (via TLS)", username);
    }
}