I’'ve been using your latest rendition of Wildfire for the last few weeks, and I have been really impressed by the robstness and quality. I really love it.
I have stumbled upon a problem this weekend, which took me a day of hunting to find.
I wrote an XMPP client with SASL/Md5 authentication, which I have been using on a variety of servers for many months now, but I haven’'t been able to log into Wildfire with it. My client sends the optional authzid field. The error in the Warning log is something like:
DIGEST-MD5: user is not authorized to act as user@host
This SASLException originally comes from a Sun class, DigestMd5Server.java. There is a copy here:
The exception comes from the test here, where the username is compared to the received authzid (line 79)
IMHO, the problem lies in the straight equality test here:
This might be a more robust test:
if ( authenId.equals(authorId) || authorId.startsWith(authenId + “@”) )
or maybe, to be more strict:
if ( authenId.equals(authorId) || authorId.equals(authenId + “@” + host) )
Which can test for both cases, whether the client sends the authzid or not.
This should not be a security problem, since Wildfire is not vouching for other
This may seem overkill, but other servers can handle both conditions just fine.
Thanks again for this excellent server.