I am trying to develop an openfire plugin that implements IQHandler to handle my custom IQ.
However, I want to be sure that an authenticated user can not send a forged IQ with a “from” attribute different from its own (to usurp someone’s identity).
So I am wondering if, by default, openfire would reject any IQ with a “from” attribute containing a JID different from the one of the user authenticated as the owner of the connection that sent this IQ?
If no, how can I check, into my plugin code, that the “from” attribute of an IQ actually match the one of the owner of the session that sent it? (NOTE: I do not accept anonymous connections to my server. So a user must be authenticated to be able to send IQ to the server).