use of org.jivesoftware.spark.sasl.SASLGSSAPIv3CompatMechanism in project Spark by igniterealtime.
the class LoginDialog method retrieveConnectionConfiguration.
protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
int port = localPref.getXmppPort();
int checkForPort = loginServer.indexOf(":");
if (checkForPort != -1) {
String portString = loginServer.substring(checkForPort + 1);
if (ModelUtil.hasLength(portString)) {
// Set new port.
port = Integer.parseInt(portString);
}
}
ConnectionConfiguration.SecurityMode securityMode = localPref.getSecurityMode();
boolean useOldSSL = localPref.isSSL();
boolean hostPortConfigured = localPref.isHostAndPortConfigured();
ProxyInfo proxyInfo = null;
if (localPref.isProxyEnabled()) {
ProxyInfo.ProxyType pType = localPref.getProtocol().equals("SOCKS") ? ProxyInfo.ProxyType.SOCKS5 : ProxyInfo.ProxyType.HTTP;
String pHost = ModelUtil.hasLength(localPref.getHost()) ? localPref.getHost() : null;
int pPort = ModelUtil.hasLength(localPref.getPort()) ? Integer.parseInt(localPref.getPort()) : 0;
String pUser = ModelUtil.hasLength(localPref.getProxyUsername()) ? localPref.getProxyUsername() : null;
String pPass = ModelUtil.hasLength(localPref.getProxyPassword()) ? localPref.getProxyPassword() : null;
if (pHost != null && pPort != 0) {
if (pUser == null || pPass == null) {
proxyInfo = new ProxyInfo(pType, pHost, pPort, null, null);
} else {
proxyInfo = new ProxyInfo(pType, pHost, pPort, pUser, pPass);
}
} else {
Log.error("No proxy info found but proxy type is enabled!");
}
}
DomainBareJid xmppDomain;
try {
xmppDomain = JidCreate.domainBareFrom(loginServer);
} catch (XmppStringprepException e) {
throw new IllegalStateException(e);
}
final XMPPTCPConnectionConfiguration.Builder builder = XMPPTCPConnectionConfiguration.builder().setUsernameAndPassword(loginUsername, loginPassword).setXmppDomain(xmppDomain).setPort(port).setSendPresence(false).setCompressionEnabled(localPref.isCompressionEnabled()).setSecurityMode(securityMode);
if (securityMode != ConnectionConfiguration.SecurityMode.disabled && localPref.isDisableHostnameVerification()) {
TLSUtils.disableHostnameVerificationForTlsCertificates(builder);
}
if (localPref.isDebuggerEnabled()) {
builder.enableDefaultDebugger();
}
if (hostPortConfigured) {
builder.setHost(localPref.getXmppHost());
}
if (localPref.isProxyEnabled()) {
builder.setProxyInfo(proxyInfo);
}
if (securityMode != ConnectionConfiguration.SecurityMode.disabled && !useOldSSL) {
// This use STARTTLS which starts initially plain connection to upgrade it to TLS, it use the same port as
// plain connections which is 5222.
SparkSSLContextCreator.Options options;
if (localPref.isAllowClientSideAuthentication()) {
options = SparkSSLContextCreator.Options.BOTH;
} else {
options = SparkSSLContextCreator.Options.ONLY_SERVER_SIDE;
}
try {
SSLContext context = SparkSSLContextCreator.setUpContext(options);
builder.setSslContextFactory(() -> {
return context;
});
builder.setSecurityMode(securityMode);
builder.setCustomX509TrustManager(new SparkTrustManager());
} catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException | NoSuchProviderException e) {
Log.warning("Couldnt establish secured connection", e);
}
}
if (securityMode != ConnectionConfiguration.SecurityMode.disabled && useOldSSL) {
if (!hostPortConfigured) {
// SMACK 4.1.9 does not support XEP-0368, and does not apply a port change, if the host is not changed too.
// Here, we force the host to be set (by doing a DNS lookup), and force the port to 5223 (which is the
// default 'old-style' SSL port).
DnsName serverNameDnsName = DnsName.from(loginServer);
java.util.List<InetAddress> resolvedAddresses = DNSUtil.getDNSResolver().lookupHostAddress(serverNameDnsName, null, DnssecMode.disabled);
if (resolvedAddresses.isEmpty()) {
throw new RuntimeException("Could not resolve " + serverNameDnsName);
}
builder.setHost(resolvedAddresses.get(0).getHostName());
builder.setPort(5223);
}
SparkSSLContextCreator.Options options;
if (localPref.isAllowClientSideAuthentication()) {
options = SparkSSLContextCreator.Options.BOTH;
} else {
options = SparkSSLContextCreator.Options.ONLY_SERVER_SIDE;
}
builder.setSocketFactory(new SparkSSLSocketFactory(options));
// SMACK 4.1.9 does not recognize an 'old-style' SSL socket as being secure, which will cause a failure when
// the 'required' Security Mode is defined. Here, we work around this by replacing that security mode with an
// 'if-possible' setting.
builder.setSecurityMode(ConnectionConfiguration.SecurityMode.ifpossible);
}
if (securityMode != ConnectionConfiguration.SecurityMode.disabled) {
SASLAuthentication.registerSASLMechanism(new SASLExternalMechanism());
}
// SPARK-1747: Don't use the GSS-API SASL mechanism when SSO is disabled.
SASLAuthentication.unregisterSASLMechanism(SASLGSSAPIMechanism.class.getName());
SASLAuthentication.unregisterSASLMechanism(SASLGSSAPIv3CompatMechanism.class.getName());
// Add the mechanism only when SSO is enabled (which allows us to register the correct one).
if (localPref.isSSOEnabled()) {
// SPARK-1740: Register a mechanism that's compatible with Smack 3, when requested.
if (localPref.isSaslGssapiSmack3Compatible()) {
// SPARK-1747: Don't use the GSSAPI mechanism when SSO is disabled.
SASLAuthentication.registerSASLMechanism(new SASLGSSAPIv3CompatMechanism());
} else {
SASLAuthentication.registerSASLMechanism(new SASLGSSAPIMechanism());
}
}
if (localPref.isLoginAnonymously() && !localPref.isSSOEnabled()) {
// later login() is called without arguments
builder.performSaslAnonymousAuthentication();
}
// }
return builder.build();
}
use of org.jivesoftware.spark.sasl.SASLGSSAPIv3CompatMechanism in project Spark by igniterealtime.
the class LoginUIPanel method retrieveConnectionConfiguration.
protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() {
int port = localPref.getXmppPort();
int checkForPort = loginServer.indexOf(":");
if (checkForPort != -1) {
String portString = loginServer.substring(checkForPort + 1);
if (ModelUtil.hasLength(portString)) {
// Set new port.
port = Integer.valueOf(portString);
}
}
ConnectionConfiguration.SecurityMode securityMode = localPref.getSecurityMode();
boolean useOldSSL = localPref.isSSL();
boolean hostPortConfigured = localPref.isHostAndPortConfigured();
ProxyInfo proxyInfo = null;
if (localPref.isProxyEnabled()) {
ProxyInfo.ProxyType pType = localPref.getProtocol().equals("SOCKS") ? ProxyInfo.ProxyType.SOCKS5 : ProxyInfo.ProxyType.HTTP;
String pHost = ModelUtil.hasLength(localPref.getHost()) ? localPref.getHost() : null;
int pPort = ModelUtil.hasLength(localPref.getPort()) ? Integer.parseInt(localPref.getPort()) : 0;
String pUser = ModelUtil.hasLength(localPref.getProxyUsername()) ? localPref.getProxyUsername() : null;
String pPass = ModelUtil.hasLength(localPref.getProxyPassword()) ? localPref.getProxyPassword() : null;
if (pHost != null && pPort != 0) {
if (pUser == null || pPass == null) {
proxyInfo = new ProxyInfo(pType, pHost, pPort, null, null);
} else {
proxyInfo = new ProxyInfo(pType, pHost, pPort, pUser, pPass);
}
} else {
Log.error("No proxy info found but proxy type is enabled!");
}
}
DomainBareJid xmppDomain;
try {
xmppDomain = JidCreate.domainBareFrom(loginServer);
} catch (XmppStringprepException e) {
throw new IllegalStateException(e);
}
final XMPPTCPConnectionConfiguration.Builder builder = XMPPTCPConnectionConfiguration.builder().setUsernameAndPassword(loginUsername, loginPassword).setXmppDomain(xmppDomain).setPort(port).setSendPresence(false).setCompressionEnabled(localPref.isCompressionEnabled()).setSecurityMode(securityMode);
if (securityMode != ConnectionConfiguration.SecurityMode.disabled && localPref.isDisableHostnameVerification()) {
TLSUtils.disableHostnameVerificationForTlsCertificates(builder);
}
if (localPref.isDebuggerEnabled()) {
builder.enableDefaultDebugger();
}
if (hostPortConfigured) {
builder.setHost(localPref.getXmppHost());
}
if (localPref.isProxyEnabled()) {
builder.setProxyInfo(proxyInfo);
}
if (securityMode != ConnectionConfiguration.SecurityMode.disabled && !useOldSSL) {
// This use STARTTLS which starts initially plain connection to upgrade it to TLS, it use the same port as
// plain connections which is 5222.
SparkSSLContextCreator.Options options;
if (localPref.isAllowClientSideAuthentication()) {
options = SparkSSLContextCreator.Options.BOTH;
} else {
options = SparkSSLContextCreator.Options.ONLY_SERVER_SIDE;
}
try {
SSLContext context = SparkSSLContextCreator.setUpContext(options);
builder.setSslContextFactory(() -> {
return context;
});
builder.setSecurityMode(securityMode);
builder.setCustomX509TrustManager(new SparkTrustManager());
} catch (NoSuchAlgorithmException | KeyManagementException | UnrecoverableKeyException | KeyStoreException | NoSuchProviderException e) {
Log.warning("Couldnt establish secured connection", e);
}
}
if (securityMode != ConnectionConfiguration.SecurityMode.disabled && useOldSSL) {
if (!hostPortConfigured) {
// SMACK 4.1.9 does not support XEP-0368, and does not apply a port change, if the host is not changed too.
// Here, we force the host to be set (by doing a DNS lookup), and force the port to 5223 (which is the
// default 'old-style' SSL port).
DnsName serverNameDnsName = DnsName.from(loginServer);
java.util.List<InetAddress> resolvedAddresses = DNSUtil.getDNSResolver().lookupHostAddress(serverNameDnsName, null, DnssecMode.disabled);
if (resolvedAddresses.isEmpty()) {
throw new RuntimeException("Could not resolve " + serverNameDnsName);
}
builder.setHost(resolvedAddresses.get(0).getHostName());
builder.setPort(5223);
}
SparkSSLContextCreator.Options options;
if (localPref.isAllowClientSideAuthentication()) {
options = SparkSSLContextCreator.Options.BOTH;
} else {
options = SparkSSLContextCreator.Options.ONLY_SERVER_SIDE;
}
builder.setSocketFactory(new SparkSSLSocketFactory(options));
// SMACK 4.1.9 does not recognize an 'old-style' SSL socket as being secure, which will cause a failure when
// the 'required' Security Mode is defined. Here, we work around this by replacing that security mode with an
// 'if-possible' setting.
builder.setSecurityMode(ConnectionConfiguration.SecurityMode.ifpossible);
}
if (securityMode != ConnectionConfiguration.SecurityMode.disabled) {
SASLAuthentication.registerSASLMechanism(new SASLExternalMechanism());
}
// SPARK-1747: Don't use the GSS-API SASL mechanism when SSO is disabled.
SASLAuthentication.unregisterSASLMechanism(SASLGSSAPIMechanism.class.getName());
SASLAuthentication.unregisterSASLMechanism(SASLGSSAPIv3CompatMechanism.class.getName());
// Add the mechanism only when SSO is enabled (which allows us to register the correct one).
if (localPref.isSSOEnabled()) {
// SPARK-1740: Register a mechanism that's compatible with Smack 3, when requested.
if (localPref.isSaslGssapiSmack3Compatible()) {
// SPARK-1747: Don't use the GSSAPI mechanism when SSO is disabled.
SASLAuthentication.registerSASLMechanism(new SASLGSSAPIv3CompatMechanism());
} else {
SASLAuthentication.registerSASLMechanism(new SASLGSSAPIMechanism());
}
}
if (localPref.isLoginAnonymously() && !localPref.isSSOEnabled()) {
// later login() is called without arguments
builder.performSaslAnonymousAuthentication();
}
// }
return builder.build();
}
Aggregations