I am just starting down the path of doing the same thing for my application. We also have a user data store that will require customization to how users are authenticated.
I was hoping I could integrate openfire with an AD user store and do a custom database implementation along with the ldap/AD configuration (for a different set of users). It seems only one or the other for a user store configuration is supported (as far as I can tell).
So, my only option it seems is to do this same thing … I was hoping I could follow the path that was outlined here, but then I got to the end and see a problem was encountered with no resolution! Yikes! I didn’t want to progress without some sort of “warm fuzzy” that it was going to eventually work. It seems like you got it to work - so I will proceed.
With your custom auth provider did you use SASL authentication in your process? If not - how did you get around the SASL authentication requirements or is there a way to remove the SASL requirement from your auth provider?
This has been resolved, but I just wanted to respond for the readers of these discussions:
When creating a custom Auth provider if you do not want to provide SASL authentication within your new auth provider construct set the Openfire configuration sasl.mechs to anonymous.
Sorry, I think my post was a bit misleading, let me try to clear it up.
When using our custom auth token provider, the password entered by the user is actually a long token that no-one would be expected to remember. The user never enters that password directly, it’s supplied by the client app they use (we write our own client app for chatting in Actionscript).
However, we still want our system admins to log in to the admin console using an easy to remember password, so we enable the standard authentication which is against the internal Openfire DB.
So to be clear - you don’t need specific authentication to get into the admin console - it’s just something we do (which I’m not even sure is right to be honest).
Are you having problems getting into the admin console with your new authentication?
The answer is “yes” to your last question. I am unable to log into the console. I thought it might have something to do with what you were saying in your previous post, but maybe I’m on the wrong track.
Some background is: I don’t have a hybrid auth provider - just one overridden provider with my own class talking SSL to my server to authenticate users. Getting the certificates wrestled into submission was a chore in and of itself but that’s another story
I thought that my regular authentication provider would be used for console authentication - but apparently that is incorrect? I can log in my “admin” user through a jabber client and see my authentication provider doing it’s job. But, when I navigate to ip:9090 and use those same credentials I am unable to log in. I see a log line in warn.log regarding the failed console login attempt, but no “authentication attempt” is logged by my custom authentication provider.
I have this configuration for my admin user and I am not overriding (via my configuration DB) the default admin provider (so I think I am getting DefaultAdminProvider functionality):
If you don’t specify a hybrid auth provider then you’re using one provider only (your SSL one). So I think that admin user is trying to log in against the SSL provider and failing - maybe stick some logging in your plugin to verify this. So yeah - I think if you want an admin login to work using the username and password from the DB then you have to go Hybrid I’m afraid… but hopefully someone else is reading this that could clarify that : )
Thank all help in here. I solve this problem following your suggestion ,here is my steps( forgive my poor english)
1 insert pror key-value in database ofProperty.follow official Document.
2 write my own authProvider infoair.obcs.auth.ObcsAuthProvider ,infoair.obcs.auth.JDBCUserProvider
** package the two class in a ObcsAuth.jar ,and put it in openfire/lib ,it works.(jar class must include the package fold,/infoair/obcs/auth/ObcsAuthProvider.class, not only a class).**
3 something maybe you need notice
** if your database is used MD5 , Openfire support md5 in JDBCUserProvider,but it ask your md5 password are lowercase letters. if your MD5 password are uppercase ,you’ll write your own implements.**
** if you want do some otherthing in the auth provider, for example ,find a deptId from your own database there ,you can’t only invoke your DAO in your plugin, it will cauing error : can’t find class. you can only move the whole dao to live with the provider or used Openfire Connection.**
** if your want use openfire default connection, you can set this key-value: jdbcAuthProvider.useConnectionProvider true **
I created a custom auth provider with hybrid authentication and it works fine.
But in the case that user is not authenticated I would like to send a peace of information to the client (reseason why it is not authenticated). I put this message in UnauthorizedException message, but it seems that it is not sent to the client!
How can I send back customized piece of info to the client in the case it is not authenticated?
Your question is not about custom auth providers it is about returning information upon login error conditions to clients. If I were you I’d open a new discussion chain about returning error information to the client and your specific use of the UnauthroizedException message for further help.
I have impemented the custom JDBCAuthProvider.java.
I am able to Login into admin console - It just works fine
Now, I Have other application running in production. I want to call the method which is in the production environment (That method will authenticate the user and password and returns the success if authentication is success else returns error message) to complete the authentication (Here, I don’t save the password in DB. It is an session ID of an user in Production environment). Now, authenticate(username, password) of custom JDBCAuthProvider.java is not getting invoked when, I try to login through the client (I am using Strophe “HTTP Binding” for my client) so that I could call the production class.
Could any one please help me with, How to invoke the class from JDBCAuthProvider.java (or any other openfire class) which is in Production environment?
I know this is an old question but I wanted to answer it with my solution in case anyone else stumbles across this forum like I did. I wanted to include my AuthProvider as part of my Plugin instead of creating a separate jar file that had to be installed separately. Loading everything in the plugin jar via the admin console seemed like a much cleaner solution for people using the plugin.
As several other people mentioned, Plugins are not included in the classpath of core openfire class loaders during startup. Even setting “provider.auth.className” in the Plugin initializer fails because it is not included in the classpath. However, if you import the auth class and create an instance of that class before setting the ‘provider.auth.className’ it will work correctly:
I also had to add an empty constructor for my AuthProvider class but this seems to work fine.
When Openfire starts it will initially fail to find my class and revert to the default AuthProvider but as soon as my plugin loads it changes the auth class to mine again. This is a very short delay and it also has the advantage of automatically reverting Openfire to its default auth provider if the plugin is deleted.
It might not be an optimal solution so I’ll update this forum if I find problems with more extensive testing.