Hi, all.
I’'ve been using your latest rendition of Wildfire for the last few weeks, and I have been really impressed by the robstness and quality. I really love it.
I have stumbled upon a problem this weekend, which took me a day of hunting to find.
I wrote an XMPP client with SASL/Md5 authentication, which I have been using on a variety of servers for many months now, but I haven’'t been able to log into Wildfire with it. My client sends the optional authzid field. The error in the Warning log is something like:
DIGEST-MD5: user is not authorized to act as user@host
This SASLException originally comes from a Sun class, DigestMd5Server.java. There is a copy here:
http://www.cs.duke.edu/csed/java/source1.5/src/share/classes/com/sun/security/sa sl/digest/DigestMD5Server.java
The exception comes from the test here, where the username is compared to the received authzid (line 79)
http://www.jivesoftware.org/fisheye/viewrep/svn-org/wildfire/trunk/src/java/org/ jivesoftware/wildfire/net/XMPPCallbackHandler.java?r=3500
IMHO, the problem lies in the straight equality test here:
if (authenId.equals(authorId))
This might be a more robust test:
if ( authenId.equals(authorId) || authorId.startsWith(authenId + “@”) )
or maybe, to be more strict:
if ( authenId.equals(authorId) || authorId.equals(authenId + “@” + host) )
Which can test for both cases, whether the client sends the authzid or not.
This should not be a security problem, since Wildfire is not vouching for other
domains.
This may seem overkill, but other servers can handle both conditions just fine.
Thanks again for this excellent server.