Hi,
It would be really nice if one could throw some kind of Exception in the AuthProvider classes and org.jivesoftware.openfire.net.SASLAuthentication.authenticationFailed() could also return temporary-auth-failure.
Otherwise users may think that the authentication failed because they’ve entered a wrong password.
Any chance that it gets implemented?
Attila
Im not opposed to it, but here are the delmas:
Do you (or anyone else, for that matter) know of what clients actually give the user a useful message for any of the sasl error messages? If no clients actually use the error messages correctly, there is certainly less pressure to implement this.
There needs to be a global way for Openfire to “upgrade” the error message to the simple not-authorized message. The main reason is some security implementations will consider the other messages “information leakage” and want them disabled.
None of the current AuthProvider implementations really would even know about a temporary failure. I suppose if an external database/ldap server went away we might be able to use that message.
The java sasl framework dosnt lend itself well to this. The XMPPCallbackHandler handle() method is not allow to throw additional exceptions to conform to the interface. So we either need to rely on the message contents of the exceptions, or extend IOException (neither is real attractive to me)
Implementing these changes introduces new code, and unless there is really a need for this, it is increasing the chances for bugs/errors.
That said, I think its a good idea to support the XMPP spec, so here is my proposal:
Create a new TempoaryAuthFailureException that the AuthProvider can throw anywhere UnauthorizedException is currently allowed to be thrown. This gets the message as far as the XMPPCallbackHandler. (this widens the API, no impact of existing code)
Make both UnauthorizedException and TemporaryAuthFailureException extend IOException. (this narrows the API, someone needs to check that this causes no problems)
Allow the XMPPCallbackHandler to pass up those exceptions. This gets the message to the SaslServer object (no API change)
The SaslServer object should create a new SaslException using the IOException from the CallbackHandler as the cause (we cant really control this if it dosnt).
In SASLAuthentication when we catch the SaslException (in multiple places), we check if getCause() is a TempoaryAuthFailureException, and if so, check if the property sasl.detailed-errors is true (default to true) and if so, generate a temporary-auth-failure reply instead of not-authorized.
In the AuthProvider implementations we have, if the remote service (database, ldap, pop3, whatever) is not available, throw the TemporaryAuthFailureException
Hello,
I am not sure whether any XMPP clients supports this. We have a closed source application which uses XMPP, I would extend the XMPP code in it to understand this.
Yes, I would use this for external authentication (see http://www.igniterealtime.org/community/message/174380). I also encouraged the ejabberd people to extend their interface to support this temporary auth failure condition (see https://support.process-one.net/browse/EJAB-689).
It would be also nice if the deprecated Non-SASL authentication (http://www.xmpp.org/extensions/xep-0078.html) could also support this. The XMPP library I found happens to use Non-SASL authentication.
Attila