IM Gateway Security Concerns

It’s my understanding that the IM Gateway caches the username/password combination for each gateway registration. I assume that this information is used to auto-login to the IM Transports when the corresponding jabber user logs in.

I’m developing a client application with which users can create gateway registrations - my concern is that they might not want their IM credentials (possibly multiple sets of credentials) to be sitting on my server for extended periods of time.

Is it possible to disable this aspect of IM Gateway? So that using client-side caching of credentials instead of server-side, I could re-register with with each gateway for each session?

There is no built in way to disable this feature. This data is secured, even the openfire server admin can not read the password. The user has control over the removal of the account from the server from the Spark client. You would need to include this feature as well.

In what way is the data secured? Specifically, assuming it is encrypted, who holds the key to the encryption?


The password is encrypted and the key is in the settings (passwordKey property). See

encryptPassword for details.

An admin with access to the database can decrypt the password, but he won’t see it by accident.