Smack

Add support for Kerberos/NTLM

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.2.0
  • Fix Version/s: 3.1.0
  • Component/s: Core
  • Labels:
    None
  • Acceptance Test - Add?:
    No

Description

Add support for Windows Kerberos/NTLM as an authentication method. This would allow true single sign-on support. So far, Pandion is the only client known to have support for this on the client side. Request at:

http://www.jivesoftware.org/forums/thread.jspa?threadID=14636

Issue Links

This issue is related to:
JM-281 Add support for Kerberos/NTLM (experimental status) Major Closed
SPARK-675 Understand and Document Technical Requirements for SSO Major Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jay added a comment -

I attached a class that makes it work. Use it like this:

[code]
XMPPConnection connection = new XMPPConnection("jabber.domain.com");
connection.getSASLAuthentication().registerSASLMechanism(0,"GSSAPI",SASLGSSAPIMechanism.class);

connection.login("jay",""); //password gets ignored, but is required
connection.createChat("jay@jabber.domain.com").sendMessage("Howdy!");
[/code]

You need to have a JASS config file (gss.conf) that looks kinda like this:

[code]
/**

  • Login Configuration for JAAS.
    */

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
};
[/code]

Show
Jay added a comment - I attached a class that makes it work. Use it like this: [code] XMPPConnection connection = new XMPPConnection("jabber.domain.com"); connection.getSASLAuthentication().registerSASLMechanism(0,"GSSAPI",SASLGSSAPIMechanism.class); connection.login("jay",""); //password gets ignored, but is required connection.createChat("jay@jabber.domain.com").sendMessage("Howdy!"); [/code] You need to have a JASS config file (gss.conf) that looks kinda like this: [code] /**
  • Login Configuration for JAAS. */
com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true; }; [/code]
Hide
Permalink
Jay added a comment -

In order for the GSSAPI mechanism to work, the bugs in the Base64 class of Smack utils needs to be fixed. You can copy the same class from Wildfire and change the package name at the top since the bugs were already fixed there. Should the utils package maybe become "universal" between the different products so only one change needs to be made when bugs are found/fixed?

Show
Jay added a comment - In order for the GSSAPI mechanism to work, the bugs in the Base64 class of Smack utils needs to be fixed. You can copy the same class from Wildfire and change the package name at the top since the bugs were already fixed there. Should the utils package maybe become "universal" between the different products so only one change needs to be made when bugs are found/fixed?
Hide
Permalink
Jay added a comment -

The registerSASLMechanism call in the top comment can be avoided by applying this patch:

Index: /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java
===================================================================
— /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (revision 4007)
+++ /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (working copy)
@@ -27,6 +27,7 @@
import org.jivesoftware.smack.sasl.SASLAnonymous;
import org.jivesoftware.smack.sasl.SASLMechanism;
import org.jivesoftware.smack.sasl.SASLPlainMechanism;
+import org.jivesoftware.smack.sasl.SASLGSSAPIMechanism;

import java.io.IOException;
import java.lang.reflect.Constructor;
@@ -42,7 +43,7 @@

  • fails then Non-SASL will be tried.<p>
  • The server may support many SASL mechanisms to use for authenticating. Out of the box
  • * Smack provides SASL PLAIN but it is possible to register new SASL Mechanisms. Use
    + * Smack provides SASL PLAIN and GSSAPI but it is possible to register new SASL Mechanisms. Use
  • {@link #registerSASLMechanism(int, String, Class)} to add new mechanisms. See
  • {@link SASLMechanism}.<p>

  • @@ -79,7 +80,8 @@

static { // Register SASL mechanisms supported by Smack - registerSASLMechanism(0, "PLAIN", SASLPlainMechanism.class); + registerSASLMechanism(0, "GSSAPI", SASLGSSAPIMechanism.class); + // registerSASLMechanism(1, "PLAIN", SASLPlainMechanism.class); }

/**

Show
Jay added a comment - The registerSASLMechanism call in the top comment can be avoided by applying this patch: Index: /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java =================================================================== — /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (revision 4007) +++ /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (working copy) @@ -27,6 +27,7 @@ import org.jivesoftware.smack.sasl.SASLAnonymous; import org.jivesoftware.smack.sasl.SASLMechanism; import org.jivesoftware.smack.sasl.SASLPlainMechanism; +import org.jivesoftware.smack.sasl.SASLGSSAPIMechanism; import java.io.IOException; import java.lang.reflect.Constructor; @@ -42,7 +43,7 @@
  • fails then Non-SASL will be tried.<p>
  • The server may support many SASL mechanisms to use for authenticating. Out of the box
  • * Smack provides SASL PLAIN but it is possible to register new SASL Mechanisms. Use + * Smack provides SASL PLAIN and GSSAPI but it is possible to register new SASL Mechanisms. Use
  • {@link #registerSASLMechanism(int, String, Class)} to add new mechanisms. See
  • {@link SASLMechanism}.<p>
  • @@ -79,7 +80,8 @@
static { // Register SASL mechanisms supported by Smack - registerSASLMechanism(0, "PLAIN", SASLPlainMechanism.class); + registerSASLMechanism(0, "GSSAPI", SASLGSSAPIMechanism.class); + // registerSASLMechanism(1, "PLAIN", SASLPlainMechanism.class); } /**
Hide
Permalink
Jay added a comment -

One additonal change, the system properties should not be set in SASLGSSAPIMechanism, they should be set in the application using Smack (eg Spark) to configure where the config file is located.

Show
Jay added a comment - One additonal change, the system properties should not be set in SASLGSSAPIMechanism, they should be set in the application using Smack (eg Spark) to configure where the config file is located.

People

Vote (6)
Watch (4)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for igniterealtime.org. Try JIRA - bug tracking software for your team.