After the XMPP stream is opened by a client, the server checks which SASL mechanisms are available for the XMPP session. Depending on whether the stream is encrypted or not, depending on the domain, the server can present different available authentication mechanisms. MechanismSelector is responsible for choosing mechanisms. List of allowed mechanisms is stored in the XMPP session object.
When the client/user begins authentication procedure it uses one particular mechanism. It must use one of the mechanisms provided
by the server as available for this session. The server checks whether mechanisms used by the client is on the list of allowed
mechanisms. It the check is successful, the server creates 'SaslServer'
class instance and proceeds with exchanging authentication information. Authentication data is different depending on the
mechanism used.
When the SASL authentication is completed without any error, the Tigase server should have authorized user name or authorized
BareJID. In the first case, the server automatically builds user’s JID based on the domain used in the stream opening element
in 'to
' attribute.
If, after a successful authentication, method call: 'getNegotiatedProperty("IS_ANONYMOUS")\'
returns 'Boolean.TRUE'
then the user session is marked as anonymous. For valid and registered users this can be used for cases when we do not want
to load any user data such as roster, vcard, privacy lists and so on. This is a performance and resource usage implication
and can be useful for use cases such as support chat. The authorization is performed based on the client database but we do
not need to load any XMPP specific data for the user’s session.
More details about implementation can be found at custom mechanisms development.