Smack

Add support for Kerberos/NTLM

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.2.0
  • Fix Version/s: 3.1.0
  • Component/s: Core
  • Labels:
    None
  • Acceptance Test - Add?:
    No

Description

Add support for Windows Kerberos/NTLM as an authentication method. This would allow true single sign-on support. So far, Pandion is the only client known to have support for this on the client side. Request at:

http://www.jivesoftware.org/forums/thread.jspa?threadID=14636

Issue Links

is related to

New Feature - A new feature of the product, which has yet to be developed. JM-281 Add support for Kerberos/NTLM (experimental status)

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Task - A task that needs to be done. SPARK-675 Understand and Document Technical Requirements for SSO

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jay added a comment -

I attached a class that makes it work. Use it like this:

[code]
XMPPConnection connection = new XMPPConnection("jabber.domain.com");
connection.getSASLAuthentication().registerSASLMechanism(0,"GSSAPI",SASLGSSAPIMechanism.class);

connection.login("jay",""); //password gets ignored, but is required
connection.createChat("jay@jabber.domain.com").sendMessage("Howdy!");
[/code]

You need to have a JASS config file (gss.conf) that looks kinda like this:

[code]
/**

  • Login Configuration for JAAS.
    */

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
};
[/code]

Show
Jay added a comment - I attached a class that makes it work. Use it like this: [code] XMPPConnection connection = new XMPPConnection("jabber.domain.com"); connection.getSASLAuthentication().registerSASLMechanism(0,"GSSAPI",SASLGSSAPIMechanism.class); connection.login("jay",""); //password gets ignored, but is required connection.createChat("jay@jabber.domain.com").sendMessage("Howdy!"); [/code] You need to have a JASS config file (gss.conf) that looks kinda like this: [code] /** Login Configuration for JAAS. */ com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true; }; [/code]
Hide
Permalink
Jay added a comment -

In order for the GSSAPI mechanism to work, the bugs in the Base64 class of Smack utils needs to be fixed. You can copy the same class from Wildfire and change the package name at the top since the bugs were already fixed there. Should the utils package maybe become "universal" between the different products so only one change needs to be made when bugs are found/fixed?

Show
Jay added a comment - In order for the GSSAPI mechanism to work, the bugs in the Base64 class of Smack utils needs to be fixed. You can copy the same class from Wildfire and change the package name at the top since the bugs were already fixed there. Should the utils package maybe become "universal" between the different products so only one change needs to be made when bugs are found/fixed?
Hide
Permalink
Jay added a comment -

The registerSASLMechanism call in the top comment can be avoided by applying this patch:

Index: /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java
===================================================================
— /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (revision 4007)
+++ /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (working copy)
@@ -27,6 +27,7 @@
import org.jivesoftware.smack.sasl.SASLAnonymous;
import org.jivesoftware.smack.sasl.SASLMechanism;
import org.jivesoftware.smack.sasl.SASLPlainMechanism;
+import org.jivesoftware.smack.sasl.SASLGSSAPIMechanism;

import java.io.IOException;
import java.lang.reflect.Constructor;
@@ -42,7 +43,7 @@

  • fails then Non-SASL will be tried.<p>
  • The server may support many SASL mechanisms to use for authenticating. Out of the box
  • * Smack provides SASL PLAIN but it is possible to register new SASL Mechanisms. Use
    + * Smack provides SASL PLAIN and GSSAPI but it is possible to register new SASL Mechanisms. Use
  • {@link #registerSASLMechanism(int, String, Class)}

    to add new mechanisms. See

  • {@link SASLMechanism}

    .<p>

  • @@ -79,7 +80,8 @@

static

{ // Register SASL mechanisms supported by Smack - registerSASLMechanism(0, "PLAIN", SASLPlainMechanism.class); + registerSASLMechanism(0, "GSSAPI", SASLGSSAPIMechanism.class); + // registerSASLMechanism(1, "PLAIN", SASLPlainMechanism.class); }

/**

Show
Jay added a comment - The registerSASLMechanism call in the top comment can be avoided by applying this patch: Index: /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java =================================================================== — /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (revision 4007) +++ /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (working copy) @@ -27,6 +27,7 @@ import org.jivesoftware.smack.sasl.SASLAnonymous; import org.jivesoftware.smack.sasl.SASLMechanism; import org.jivesoftware.smack.sasl.SASLPlainMechanism; +import org.jivesoftware.smack.sasl.SASLGSSAPIMechanism; import java.io.IOException; import java.lang.reflect.Constructor; @@ -42,7 +43,7 @@ fails then Non-SASL will be tried.<p> The server may support many SASL mechanisms to use for authenticating. Out of the box * Smack provides SASL PLAIN but it is possible to register new SASL Mechanisms. Use + * Smack provides SASL PLAIN and GSSAPI but it is possible to register new SASL Mechanisms. Use {@link #registerSASLMechanism(int, String, Class)} to add new mechanisms. See {@link SASLMechanism} .<p> @@ -79,7 +80,8 @@ static { // Register SASL mechanisms supported by Smack - registerSASLMechanism(0, "PLAIN", SASLPlainMechanism.class); + registerSASLMechanism(0, "GSSAPI", SASLGSSAPIMechanism.class); + // registerSASLMechanism(1, "PLAIN", SASLPlainMechanism.class); } /**
Hide
Permalink
Jay added a comment -

One additonal change, the system properties should not be set in SASLGSSAPIMechanism, they should be set in the application using Smack (eg Spark) to configure where the config file is located.

Show
Jay added a comment - One additonal change, the system properties should not be set in SASLGSSAPIMechanism, they should be set in the application using Smack (eg Spark) to configure where the config file is located.

People

  • Assignee:
    Matt Tucker
    Reporter:
    Gaston Dombiak
Vote (6)
Watch (4)

Dates

  • Created:
    Updated:
    Resolved: