I am trying to develop an XMPP client using Smack for use with an Openfire server. As I understand it, Openfire support SASL EXTERNAL authentication and I am trying to use Smack to develop a client that can support it as well.
According to the Java doc for Smack:
"
The server may support many SASL mechanisms to use for authenticating. Out of the box
Smack provides SASL PLAIN but it is possible to register new SASL Mechanisms. Use
registerSASLMechanism(int, String, Class) to add new mechanisms. See
SASLMechanism."
Am I right in saying that Smack does not provide the SASL EXTERNAL mechanism and I would have to would have to write my own subclass of SASLMechanism in order to enable it?
Are there any examples (source codes etc) currently available or some sort of guide on how to do this? I am new to Smack and some help would be appreciated.
EXTERNAL support is there, but used by very few at this poinit- so be aware that there might be bugs lurking about. That said, its fairly easy to use if you understand the concepts involved. Also, if looking for examples, the only example I know if is Spark itself (from svn). Take a look at LoginDialog (and LoginSettingsDialog).
Here is the basic overview:
To get Smack to register EXTERNAL as a possibility (its disabled by default), you need to run SASLAuthentication.supportSASLMechanism(“EXTERNAL”);
Next, if you want it to work, you need to be able to supply a certificate in some way. You indicate which you will use via the ConnectionConfiguration object. There are a few supported options, you set by ConnectionConfiguration’s setKeystoreType(…) method:
“PKCS11” - This requires you setPKCS11Library(…) to the location of the PKCS#11 library
“JKS” - This requires you setKeystorePath(…) to the location of the Java Keystore
“X509” - Non functional- wont work yet. Eventually should support a PEM encoded cert+key or something. Maybe another format.
“Apple” - Useful only on Mac’s, will use Apple’s Key Chain
In these cases, you need to make sure you are using the XMPPConnection with a callback handler, since that is how the password/pin/whatever will be prompted for obtaining the certificate. You may or may not be prompted for a username/password to authenticate to the server, depending on how the server is configured.
Next, you need to configure a truststore- this is a JKS that contains only the CA’s (and any intermediate CA’s) you will trust. Set this wil setTruststorePath(…) and set the password for it with setTruststorePassword(…).
Example (untested):
ConnectionConfiguration config = ConnectionConfiguration(serverName);
config.setKeystorePath(System.getProperty("user.home")+"/.keystore");
config.setTruststorePath("/etc/truststore");
config.setTruststorePassword("foobar");
// set other config options here... XMPPConnection connection = new XMPPConnection(config, myCallbackHandler);
What version of Smack are you using? You may need to use the version in Subversion instead of a released version- I don’t recall if the changes have been released yet.
Am I correct in saying that if I can successfully implement SASL EXTERNAL authentication, the client will no longer require the use of a password to authenticate itself with the Openfire server?
Can new user registration work the same way (i.e. no passwords required just the cert)?