powered by Jive Software

Bug: Openfire has multiple bugs in user de-registration

I have detected two different bugs that occur after a user tries to de-register.

According to XEP-0077, the server SHOULD return a <not-authorized/> stream error. Openfire does not.

This is easily fixed by adding a few lines like these to IQRegisterHandler#handleIQ() (insert them just before the existing line ‘‘session.getConnection().close();’’):

... // Close the user''s connection
final StreamError error = new StreamError(StreamError.Condition.not_authorized);
session.getConnection().close(); ...

The second bug is that de-registration does not explicitly close connections from the same user, on other resources. Instead of just closing the session that received the de-registration request, the server should close all sessions.

Combined with the fix for the previous bug, the code could be modified to look something like this:

... // Close the user''s connections
final StreamError error = new StreamError(StreamError.Condition.not_authorized);
for (ClientSession sess : sessionManager.getSessions(user.getUsername()) )
} ...

I’'ve added a JUnit 3.8 Testcase that includes tests that check for the desired behavior. The testcase requires Smack.

This issue is recorded in JM-1085.