I am running the latest Openfire release including the Fastpath plugin. When i disable the anonymous login, the fastpath plugin fails to connect to the server.
Unable to connect to server using the following settings:
Server: ****
Port: 5222
SSL Enabled: false
Is there any way to make this work, with the anonymous login disabled. I would love to use fastpath, but keeping access restricted to registered accounts.
Maybe I am missing something. Thank you for any tips.
Thanks
Alexander
I ran into this as well. By default it looks as if anonymous login has to be enabled on the openfire server. you might be able to program something to make it work how you want, but AFAIK, anonymous needs to be enabled.
Is it possible to restrict anonymous logins by some IP addresses/networks?
It will be more secure than now and, IMHO, enough.
Fastpath is an anonymous login. The user is not required to have an account on the server. You can make this a requirement in the setting s of fastpath (see attachment). You would likely need to add a field for password to make this work.
Thank you for very fast answer
I think, you don’t undestand me. I need to work fastpath + webchat. And webchat must be open for everybody. But is a bad idea open anonymous login overall (it is not secure, I not like spammers in any way ). But, in other side, we can open anonymous login for webchat server only, it’s will be secure (in any case fastpath will redirect all communication through webchat only to special groups, which not interested for bad guys).
If web auth limited, guest can’t communicate by webchat, which not acceptable
So, if we limited anonymous access to only some IPs, we can create communication for guests by webchat, but communications through direct connection to jabber server still limited.
PS. Sorry for my english…
I do not think what you are looking to do is possible. Fastpath uses an embedded link on a webserver to make the connection to Openfire. This would mean the connection would always have the same source IP. You could setup a IP table on the web server to only allow access from certain IPs to the fastpath page.
I’m almost sure that i have Anonymous login disabled at my production server and Fastpath was starting fine for me.
Have you checked IP restriction option on the same page ( Registration Settings)? I’m not sure how this will affect webchat users.
> I’m almost sure that i have Anonymous login disabled at my production server and Fastpath was starting fine for me.
How you do that? When anonymous login disabled, fastpath+webchat stop working 
>Have you checked IP restriction option on the same page ( Registration Settings)? I’m not sure how this will affect webchat users.
I will try to explain a bit more.
At the first: I wish use OpenFire as corporate jabber server (registration very restricted) for internal communication. My colleagues work in different cities and I can’t limit access to jabber server by firewall. And I need some support for customers. Anybody may connect to support web page and talk. Webchat+fastpath is perfect for this, but anonymous access to server must be disabled because of security, but no authorization must be in webchat. In other side anonymous access must be enabled because fastpath requrements.
Ideal solution will be limit anonymous access by IPs list/ranges
This is the error I get if anonymous users is turned off:
Our chat service is unavailable at this time. Please check back soon.
java.lang.IllegalStateException: Must login to server before creating workgroup. at com.jivesoftware.smack.workgroup.user.Workgroup.(Unknown Source) at com.jivesoftware.webchat.ChatSession.joinQueue(ChatSession.java:227) at com.jivesoftware.webchat.actions.ChatStarter.startSession(ChatStarter.java:255) at com.jivesoftware.webclient.jsp.queue_jsp._jspService(queue_jsp.java:75) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1093) at com.jivesoftware.webchat.SetCharacterEncodingFilter.doFilter(SetCharacterEncodi ngFilter.java:44) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084) at com.jivesoftware.webchat.SetupFilter.doFilter(SetupFilter.java:91) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.ja va:1084) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollect ion.java:206) at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:324) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:842 ) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:648) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395) at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450)
i will check my settings tomorrow
wroot may be on the right track though for a solution for you. If your remote users have a defined set of IP addresses you ycould filter the connections by this method. Set a list of allowed networks in the openfire admin. This would limit authentication to openfire from certain networks which you could specify, including the fastpath server. This would make it so that anonymous logins only came from approved networks.
Unfortunately, I can’t use firewall. Because, at first, some users have a dynamically assigned IPs (limited by they providers), and, secondary, mobile users. No, firewall limits is not right for me I need limit only anonymous, not for all.
Of course, I can put (and will) openfire server to DMZ, but this is will protect only from hack, but not from spam
I think, I must make feature request for openfire authors It so strange why openfire architectors forgot about spammers.
In any way, thank for all for OpenFire server and for help
I hope, wr00t will check config of his server and will publish setting.
Well, developers cant make a server suitable for just every network setup. It has anonymous login disabling and IP filter. That’s already much for a xmpp server.
As for my settings. They won’t help you probably. I just wanted to say that i have Anonymous disabled and have tried Fastpath few weeks ago. Just installed it from plugins page in Admin Console and when added some agents and tried to make support requests. Only with Spark clients, without a webchat. So, in my case there wasnt any error. I havent installed webchat though.
Im trying out Webchat and Fastpath for the first time, and I agree with Alexander on this issue.
Unless I’m mistaken about the implications of allowing anonymous logins to openfire, I belive this could be a security problem. In our environment we use Openfire as our corporate IM server, and have roaming users connecting via random IP addresses, authenticating with Openfire via LDAP/AD. If we want to implement FastPath, it seems that we need to enable Anonymous logins on Openfire, which I assume means that anyone can open an XMPP connection and send messages to any of our users - a big security hole!
We obviously only want Anonymous connections to come into the Fastpath Queues, and only from our webserver IP address. So, there are a few ways this could be achieved, either only allow Anonymous connections from specified IP addresses (authenticated connections from any address), or have the WebChat client login to Openfire using a pre-defined username and password, which would negate the need for anonymous logins at all.
I would say that this setup is a pretty common scenario, so how have others got around this problem?
Edit: Just found another thread about this, and a comment from Dombiak Gaston:
Hey Joseph,
Are you using the webclient to let users/people make their questions?
If you are not using it then there is no need to allow anonymous users.
However, if you are using it then we would need to implement a new
enhancement so that you can specify the list of valid IP address for
anonymous users. Would that work for you?
I am not Joseph, but Dombiak if you are reading this, yes this would work for me!
Ben
Ben, you are right.
If you use FastPath only - there is no any problem. But, if you wanna use webchat plugin module - you got a lot of troubles with security.
A best way for resolve this - limit anonymous connections to some IP hosts/networks. Or workaround - limit WebChat connections to some predefined user. Unfortunately sorce code of WebChat is unavailable, so, we can’t chak is a workaround is possible.
I hope, webchat will be open source software
It seems that the source code is available via svn according to the announcement here: http://www.igniterealtime.org/community/blogs/ignite/2008/06/04/webchat-client-o f-fastpath-is-now-available
However I don’t have the necessary build environment or java knowledge to be able to make the change…
Ben
Hey Olexandr,
Source code of webchat is now available. Check out the Webchat client of Fastpath is now available blog post.
Regards,
– Gato
BumP,
I just set up the webchat with fast path and i’m concerned like everyone else… also it appears to me that fast path will not work right unless you have the “spark web” enterprise plugin installed as well… correct me if i am wrong but its not released open source style to the community yet is it? but yea i would love to integrate the webchat into some things around our office so we wouldn’t even need to have spark installed on some of the computers around here.
Hey Spotter,
I just set up the webchat with fast path and i’m concerned like everyone else
Sorry I didn’t read the entire thread. Concerned about what?
… also it appears to me that fast path will not work right unless you have the “spark web” enterprise plugin installed as well…
Fastpath does not require Sparkweb. But maybe you are referring to the webchat client (ie. webchat.war).
correct me if i am wrong but its not released open source style to the community yet is it?
Both Sparkweb and the webchat client for Fastpath were made open source and their source code is available.
but yea i would love to integrate the webchat into some things around our office so we wouldn’t even need to have spark installed on some of the computers around here.
Ok. In this last part I can see that you are referring to Sparkweb. There was a post about how to get Sparkweb’s source code and build it. We still have to create a new page in this site and list it as a product so people can easy download it instead of having to build it from source code.
Regards,
– Gato
Thanks for the quick reply,
I was concerned about anonymous users from the internet using our spark server if i leave anonymous users selected. I know that webchat requires it to run the way it does… But i am concerned about some kid on the outside seeing what ports i have opened up on my firewall and then connecting to our server and sending garbage to our employees… I don’t care if they try to do it from the web site persay but if they access it directly via the port they are already up to no good anyway… We have 6 remote locations and a handful of traveling people that login to our server so locking it down by IP address is out of the question. Is an anonymous user anything thats getting exploited yet?
Am I correct to assume that there will be a sparkweb plugin in the future?
P.S. I love the openfire/wildfire/spark project, you guys rock!