SASL EXTERNAL authentication with Smack

Hi all,

I am trying to develop an XMPP client using Smack for use with an Openfire server. As I understand it, Openfire support SASL EXTERNAL authentication and I am trying to use Smack to develop a client that can support it as well.

According to the Java doc for Smack:


The server may support many SASL mechanisms to use for authenticating. Out of the box

Smack provides SASL PLAIN but it is possible to register new SASL Mechanisms. Use

registerSASLMechanism(int, String, Class) to add new mechanisms. See


Am I right in saying that Smack does not provide the SASL EXTERNAL mechanism and I would have to would have to write my own subclass of SASLMechanism in order to enable it?

Are there any examples (source codes etc) currently available or some sort of guide on how to do this? I am new to Smack and some help would be appreciated.


EXTERNAL support is there, but used by very few at this poinit- so be aware that there might be bugs lurking about. That said, its fairly easy to use if you understand the concepts involved. Also, if looking for examples, the only example I know if is Spark itself (from svn). Take a look at LoginDialog (and LoginSettingsDialog).

Here is the basic overview:

To get Smack to register EXTERNAL as a possibility (its disabled by default), you need to run SASLAuthentication.supportSASLMechanism(“EXTERNAL”);

Next, if you want it to work, you need to be able to supply a certificate in some way. You indicate which you will use via the ConnectionConfiguration object. There are a few supported options, you set by ConnectionConfiguration’s setKeystoreType(…) method:

  • “PKCS11” - This requires you setPKCS11Library(…) to the location of the PKCS#11 library

  • “JKS” - This requires you setKeystorePath(…) to the location of the Java Keystore

  • “X509” - Non functional- wont work yet. Eventually should support a PEM encoded cert+key or something. Maybe another format.

  • “Apple” - Useful only on Mac’s, will use Apple’s Key Chain

In these cases, you need to make sure you are using the XMPPConnection with a callback handler, since that is how the password/pin/whatever will be prompted for obtaining the certificate. You may or may not be prompted for a username/password to authenticate to the server, depending on how the server is configured.

Next, you need to configure a truststore- this is a JKS that contains only the CA’s (and any intermediate CA’s) you will trust. Set this wil setTruststorePath(…) and set the password for it with setTruststorePassword(…).

Example (untested):

ConnectionConfiguration config = ConnectionConfiguration(serverName);
// set other config options here... XMPPConnection connection = new XMPPConnection(config, myCallbackHandler);

Thank you for your reply. There seems to be some problems regarding parts of the example code you wrote in your reply:


There is no setKeystorePath method for the ConnectionConfiguaration class according to the Smack javadoc.

XMPPConnection connection = new XMPPConnection(config, myCallbackHandler);

There is no constructor for XMPPConnection that has the accepts CallbackHandler as an argument.

Would the code still work without these two lines?

Thanks again for you help.

What version of Smack are you using? You may need to use the version in Subversion instead of a released version- I don’t recall if the changes have been released yet.

I using the latest release version - 3.0.4.

One more question:

Am I correct in saying that if I can successfully implement SASL EXTERNAL authentication, the client will no longer require the use of a password to authenticate itself with the Openfire server?

Can new user registration work the same way (i.e. no passwords required just the cert)?