8. Custom AuthRepository implementation
8.1. Credentials - solid base for authentication
Tigase supports having per-application passwords, allowing having distinct password for each application greatly improving security (see Application passwords for more details). To facilitate it uses Credentials, specified by the namesake interface: tigase.auth.credentials.Credentials, which implementations may store multiple credentials for single account (under credentialId, ie. different credentials for different authentication mechanisms).
- It’s specifies a couple of essential API methods:
boolean canLogin();- checks if account can perform logging-inAccountStatus getAccountStatus();- returns account status, i.e. if it’s enabled or notEntry getEntryForMechanism(String mechanism);- find a credential for specified encryption mechanismEntry getFirst();- returns first available instance of credentials entryBareJID getUser();- returns bare jid of an accountboolean isAccountDisabled();- checks if account is disabled
that allows handling of Credential entry for particular encryption/authentication mechanism. Essential part of the Credentials API are entries (defined in tigase.auth.credentials.Credentials.Entry that are actually responsible for performing provided password against defined mechanism.
8.2. Simplest AuthRepository implementation
The most basic way to create completely custom authentication is by implementing AuthRepository interface. While it has a handful or required methods the most important one is tigase.db.AuthRepository.getCredentials (it has default implementation and you could use tigase.db.AuthRepository.getPassword but it’s deprecated and will be removed).
Credentials allow having multiple, per-application passwords, but in the basic case - using PLAIN SALS method for authentication, you can use entry implementation just for plain passwords (tigase.auth.credentials.entries.PlainCredentialsEntry class) and wrap it in tigase.db.AuthRepository.SingleCredential as you would only use single password. It also requires passing parameter indicating whether the account is active (allowed to login) or disabled (not allowed to log in).
Here’s the basic snippet that will authenticate all authentication attempts if password will be used as password:
Note
Particular password retrieval method is out of scope of this document; see Using DataRepository and Accessing other repositories with DataRepository for more information on how to use Tigase API for accessing databases.
public class SimpleCustomAuthRepository implements AuthRepository {
@Override
public Credentials getCredentials(BareJID user, String credentialId) throws TigaseDBException {
final String passwordFromRepository = "password";
final PlainCredentialsEntry passwordEntry = new PlainCredentialsEntry(passwordFromRepository);
return new SingleCredential(user, getAccountStatus(user), passwordEntry);
}
@Override
public AccountStatus getAccountStatus(BareJID user) throws TigaseDBException {
return AccountStatus.active;
}
}
There are also 2 useful methods that are called when user is authenticated or logs out, that may optionally allow you to perform certain additional operations on repository/external services:
@Override
public void loggedIn(BareJID jid) throws TigaseDBException {
}
@Override
public void logout(BareJID user) throws TigaseDBException {
}
Complete source example is included in the sources as tigase.examples.SampleCustomAuthRepository