Thank you for your answer.
You said that the server advertises to the client which sasl mechanism it supports.
By the server do you mean openfire in this case or apache? and is the client the jabber client, spark for example?
If openfire is the server, what mechanisms it supports by default and how do I switch between them?
You said that I should be able to authenticate via the iq:auth method. Can I do it through httpbinding?