- Added support for storage of encrypted password
- Using same salt for any subsequent authentications
- Disabled usage of stored procedure for authentication
- Deprecated API
- Deprecated storage procedures
- Usage of MD5 hashes of passwords
- Enabling and disabling credentials encoders/decoders
- Schema changes
- Added password reset mechanism
Passwords are no longer stored in plaintext on any database.
This allows clients to reuse calculated credentials and keep them instead of storing plaintext passwords.
In previous versions, Tigase used stored procedures TigUserLoginPlainPw
and TigUserLogin
for SASL PLAIN authentication.
From version 8.0.0, those procedures are no longer used, but they are updated to use passwords stored in tig_user_credentials
table.
It is still possible to use this procedures for authentication, but to do that you need add:
'user-login-query' = '{ call TigUserLoginPlainPw(?, ?) }'
to configuration block of every authentication repository.
To enable this for default repository, the authRepository
configuration block will look like this:
authRepository () { default () { 'user-login-query' = '{ call TigUserLoginPlainPw(?, ?) }' } }
Some methods of AuthRepository
API were deprecated and should not be used.
Most of them were used for authentication using stored procedures, retrieval of password in plaintext or for password change.
For most of these methods, new versions based on tig_user_credentials
table and user credentials storage are provided where possible.
Stored procedures for authentication and password manipulation were updated to a new form, so that will be possible to use them by older versions of Tigase XMPP Server during rolling updates of a cluster. However, these procedures will not be used any more and will be depreciated and removed in future versions of Tigase XMPP Server.
If you have changed password-encoding
database property in previous versions of Tigase XMPP Server, then you will need to modify your configuration to keep it
working.
If you wish only to allow access using old passwords and to store changed passwords in the new form, then you need to enable
credentials decoder for the correct authentication repository.
In this example we will provided changes required for MD5-PASSWORD
value of password-encoding
database property.
If you have used a different one, then just replace MD5-PASSWORD
with MD5-USERNAME-PASSWORD
or MD5-USERID-PASSWORD
.
Usage of MD5 decoder.
authRepository () { default () { credentialDecoders () { 'MD5-PASSWORD' () {} } } }
If you wish to store passwords in MD5 form then use following entries in your configuration file:
Usage of MD5 encoder.
authRepository () { default () { credentialEncoders () { 'MD5-PASSWORD' () {} } } }
You may enable which encoders and decoders used on your installation. By enabling encoders/decoders you are deciding in what form the password is stored in the database. Those changes may impact which SASL mechanisms may be allowed to use on your installation.
Enabling PLAIN decoder.
authRepository () { default () { credentialDecoders () { 'PLAIN' () {} } } }
Disabling SCRAM-SHA-1 encoder.
authRepository () { default () { credentialEncoders () { 'SCRAM-SHA-1' (active: false) {} 'SCRAM-SHA-256' (active: false) {} } } }
Warning
It is strongly recommended not to disable encoders if you have enabled decoder of the same type as it may lead to the authentication issues, if client tries to use a mechanism which that is not available.
This change resulted in a creation of the new table tig_user_credentials
with following fields:
- uid
- id of a user row in
tig_users
. - username
- username used for authentication (if
authzid
is not provided orauthzid
localpart is equal toauthcid
then row withdefault
value will be used). - mechanism
- name of mechanism for which this credentials will be used, ie.
SCRAM-SHA-1
orPLAIN
. - value
- serialized value required for mechanism to confirm that credentials match.
Warning
During execution of upgrade-schema
task, passwords will be removed from tig_users
table from user_pw
field and moved to tig_user_credentials
table.
As a part of Tigase HTTP API component and Tigase Extras, we developed a mechanism which allows user to reset their password. To use this mechanism HTTP API component and its REST module must to be enabled on Tigase XMPP Server installation.
Note
Additionally this mechanism need to be enabled in the configuration file. For more information about configuration of this mechanism please check Tigase HTTP API component documentation.
Assuming that HTTP API component is configured to run on port 8080 (default), then after accessing address http://localhost:8080/rest/user/resetPassword in the web browser it will present a web form. By filling and submitting this form, the user will initiate a password reset process. During this process, Tigase XMPP Server will send an email to the user’s email address (provided during registration) with a link to the password change form.