This API is available from Tigase XMPP Server version 5.2.0 or later on our current master branch.
Note that API is under active development. This description may be updated at any time.
SASL implementation in Tigase XMPP Server is compatible with Java API, the same exact interfaces are used.
The SASL implementation consists of following parts:
Properties list for SASL plugin (sess-man/plugins-conf/urn\:ietf\:params\:xml\:ns\:xmpp-sasl):
A factory class for SASL mechanisms. Detailed description at Mechanisms configuration
A default callback handler class. Detailed description at CallbackHandler configuration
A callback handler class for a particular mechanism. Detailed description at CallbackHandler configuration
A class for filtering SASL mechanisms available in a stream. Detailed description at Selecting mechanisms
To add a new mechanism, a new factory for the mechanism has to be registered. It can be done with a new line in the
init.properties file like this one:
The class must implement the
SaslServerFactory interface. All mechanisms returned by
getMechanismNames() method will be registered automatically.
The default factory that is available and registered by default is
tigase.auth.TigaseSaslServerFactory which provides
CallbackHandler is a helper class used for loading/retrieving authentication data from data repository and providing them to a mechanism.
To register a new callback handler a new line in the
init.properties file like this one has to be added:
It is also possible to register different callback handlers for different mechanisms:
During the authentication process, Tigase server always checks for a handler specific to selected mechanisms, and if there is no specific handler the default one is used.
tigase.auth.MechanismSelector interface is used for selecting mechanisms available in a stream. Method
filterMechanisms() should return a collection with mechanisms available based on:
The default selector returns mechanisms from Tigase’s default factory
It is possible to use a custom selector by specifying it’s class int the
After the XMPP stream is opened by a client, the server checks which SASL mechanisms are available for the XMPP session. Depending on whether the stream is encrypted or not, depending on the domain, the server can present different available authentication mechanisms. MechanismSelector is responsible for choosing mechanisms. List of allowed mechanisms is stored in the XMPP session object.
When the client/user begins the authentication procedure it uses one particular mechanism. It must use one of the mechanisms provided by the server as available for this session. The server checks whether mechanisms used by the client is on the list of allowed mechanisms. It the check is successful, the server creates
SaslServer class instance and proceeds with exchanging authentication information. Authentication data is different depending on the mechanism used.
When the SASL authentication is completed without any error, Tigase server should have authorized user name or authorized BareJID. In the first case, the server automatically builds user’s JID based on the domain used in the stream opening element in
If, after a successful authentication, method call:
Boolean.TRUE then the user session is marked as anonymous. For valid and registered users this can be used for cases when we do not want to load any user data such as roster, vcard, privacy lists and so on. This is a performance and resource usage implication and can be useful for use cases such as support chat. The authorization is performed based on the client database but we do not need to load any XMPP specific data for the user’s session.
More details about implementation can be found in the custom mechanisms development section.
getAuthorizationID() method from
SaslServer class should return bare JID authorized user. In case that the method returns only user name such as romeo for example, the server automatically appends domain name to generate a valid BareJID: firstname.lastname@example.org. In case the method returns a full, valid BareJID, the server does not change anything.
handleLogin() method from
SessionManagerHandler will be called with user’s Bare JID provided by
getAuthorizationID() (or created later using stream domain name).
For each session authorization, the server creates a new and separate empty handler. Factory which creates handler instance allows to inject different objects to the handler, depending on interfaces implemented by the handler class:
DomainAware- injects domain name within which the user attempts to authenticate
NonAuthUserRepository, although I have no idea what for…
JabberIqAuth used for non-SASL authentication mechanisms uses the same callback as the SASL mechanisms.
Repository interfaces will be deprecated. These interfaces will be treated as user details providers only. There will be new methods available which will allow for additional login operations on the database such as last successful login recording.
JabberIqAuth is initialized separately, we strongly recommend to use more general prefix in
JabberIqAuth is disabled, then this is not necessary.