powered by Jive Software

Passing extra arguments to login

Hi,

How can i pass extra arguments while authenticating ? I have written a auth provider to allow siteminder authentication, if a user does not exsists a new user is created. Now after creating the user would like to add the user to a group, its like classifying the user into a department. If a department does not exsists i should be able to create it. I think i can do this with help of GroupManager.getProvider().addMember and GroupManager.getProvider().createGroup. The problem is how do i pass the extra string (group name) to the authenticate method ?

thanks

krishnan

Im not sure I follow what it is you are trying to do, exactly. If a user does not exist, how would you know what group to put them in anyway? If you are just using defaults, then there is no need to pass around extra information.

If the user exists in SM, but not OF, can’t you get the extra info from SM during the login process? Or does the user need to give a group with the username?

Maybe if you explain how the process works I can help you out.

Here is the overview of the process.

  1. the user logs in to the application using siteminder authentication.

2)a request is sent to openfire when the user wishes to login to chat server.

  1. now since the user is already authenticated to SM , his request is not being revalidated in openfire and hence the information is not directly available during the login process.

Would like to add the group name while the user is being created in to chat server. How can i pass the group name from the client to the chat server during login ? . A user is created and classified to the group name sent if it does not exsists in OF .The communication to the chat server would be using Smack api or via javascript impl of xmpp.

thanks

krishnan

A few clarifying points for you: The Auth provider only provides authentication via username/password only, so in effect if you write a SM provider, they will still need to log in every time, but can use the same credentials that SM has. The SM provider can then do whatever lookups you want it to, but that is not coming from the client. If you want a single-sign-on approach, you need to write a SaslClient and SaslServer that authenticate to eachother in some way- when you do that you can pass any info you want around (but you are also designing your own protocol, essentially)

Im having trouble following where the information is originating from. So let me repeat it back to you, and you can correct me if something is wrong.

  • The client (written using Smack or whatever) somehow knows how to obtain the SM credentials.

  • The client then passes these credentials to Openfire

  • Openfire validates the credentials

  • If the user does not exist in Openfire yet, it needs to be created

The client (written using Smack or whatever) somehow knows how to obtain the SM credentials. - this is correct, also i need to pass the group in addition to creditials The client then passes these credentials to Openfire – this is correct Openfire validates the credentials – it does not as the requested is already validate , by passes the verification of the creditials (similar to POP3 auth provider) If the user does not exist in Openfire yet, it needs to be created – this is correct. , while the user is being created a group is also allocated based on the info passed during login.

The point am stuck is the first point , how do i pass the group name, in addition to uname/pwd ?

also can u pls give me more info abt SASL ?

thanks

krishnan

Well, you cant, sort of. The SASL mechanisms are all based around a username and password only, essentially. You have a few choices- you can try to force that information into an existing SASL mechanism, or write your own. Some SASL mechanims have a concept of a “domain” or “realm” that you might be able to use, but you might be using it in a very unintended way. But really, you are talking about a whole new authentication mechanism here, so the correct way to do it would be to write a new SaslServer for Openfire and a SaslClient for Smack.

if the only way i have to write a SASL server/client , can u pls point me where i can get more information on how to write a SASL server & how to set it as default authentication ?

i have no knowledge of what SASL is

thanks

krishnan

This is not a separate client/server from Smack/Openfire. Basicly, you need to implement these interfaces:

http://java.sun.com/j2se/1.5.0/docs/api/javax/security/sasl/SaslServer.html

http://java.sun.com/j2se/1.5.0/docs/api/javax/security/sasl/SaslClient.html

More detailed info is here: http://java.sun.com/j2se/1.5.0/docs/guide/security/sasl/sasl-refguide.html . It should explain what you need to do to implement a new SASL mechanism. With Java being Open Source now, you can even take a look at Sun’s own implementation for an example.

thanks for the information. I will get started on implementing the SASL api . After i have done implementing how can i set it as the default authentication method a Openfire.

thanks

krishnan

The openfire.xml config specifies which SASL mechanisms to use.