I installed a fresh Openfire 3.3.2 server using a new databse on my local machine and made a test user with a jid of test1 and a password of test1. Using the smack 3.0.3 library I wrote a short Java program to connect and login to the server. I found that the Openfire server will authenticate a login using “test1” as the user name and “” (blank) as the password. Using an incorrect password results in an SASL auth failure as expected. This issue only seems to occur when the password is identical to the user name. Also, this does not occur when using Smack 3.0.4. The following code produces an output of “true” despite the fact that test1 has a password:
ConnectionConfiguration config = new ConnectionConfiguration(“alee”, 5222);
XMPPConnection c = new XMPPConnection(config);
c.connect();
c.login(“test1”, “”);
System.out.println(c.isAuthenticated());
c.disconnect();