powered by Jive Software

Test - webAuth Plugin

I’m using this document for some things … to decide what to put in ‘Plugin Documents’ and what to put in the readme.html file of the plugin … and why webMUC is not yet ready.

So everything you find here may be wrong and not yet available as code.

Feedback is wanted, even if this is only a test.


or Current Release --> see changelog.html


–> see readme.html


alpha/beta/stable --> see readme.html


@Matt Tucker, @Derek DeMoro, …

Open Issues

?? link to JIRA ?? do get developers JIRA access ??

Source Code

?? link to SVN ?? do get developers SVN access ??

Feedback and Discussion

Community Plugins


This plugin allows users to authenticate with a browser using a simple HTML form without the need for AJAX or Javascript. It supports HTTP and HTTPS GET and POST while HTTPS POST is the preferred way. It will set a cookie on the client which allows other plugins like webMUC and webVCard to get the user information. It has nothing to do with HTTP binding and is thus a very simple plugin, also for clients.

It comes with an AccessLog module which allows all web* plugins to write a user defined log file (CLF, NCSA, …). Even the Openfire admin console and core components (like XMPP authentication) can use it.


Define the property plugin.webauth.templatedirectory=/foo/bar/ while in /foo/bar you need to put the index.html file which is used for authentication and should contain a form like:

<frommethod="POST" action="https://yourdomain/plugins/webAuth/login.jsp">
<input name="JID" type="text" size="30" maxlength="3070">
<input name="pass" type="password" size="10" maxlength="32">

If the webMUC plugin needs to authenticate the user it will send a redirect to “https://yourdomain/plugins/webAuth/login.jsp?location=https://yourdomain/plugins /webMUC/” to the browser, so after successful authentication the webAuth plugin will send a redirect to the value of ‘location’.


Add some Javascript to convert the user input to UTF-8 before transferring it.

Add logout.jsp to allow the user to logout.

Add client-side Javascript based public key encryption so one can use it safely over HTTP.

Count the login attempts to avoid password hacking using various techniques like adding Captchas to the login page if the first login did fail or block IP addresses.

Allow to run this as an XML based Webservice.