Incorrect usage of UserManager.isRegisteredUser()


The method isRegisteredUser(JID jid)}} of class {{UserManager is easy to misinterpret. Often, it's assumed that the implementation checks if the user is a registered user of the local domain (the instance of Openfire itself). However, the actual implementation tries to determine if the user is a registered user on the domain that the JID identifies (potentially performin to server-to-server communication to try and establish this).

Confusingly, the overloaded method {{isRegisteredUser(String username)}} does limit its response to the local domain (as the argument does not provide domain information, it can't perform remote lookups).

This can lead to code like this:

The problem in this code is that the if-condition can be 'true' for a JID that references a different domain. If then the local domain happens to have a user by the same node-part value, very inconsistent things can start to happen.

This issue is currently found in the implementation of IQBlockingHandler, and possibly in other places.

The API should be improved to prevent this issue. As this API is old, we can expect third-party code to make use of it. The original signature should be retained (although marked as being deprecated).




Guus der Kinderen
October 16, 2020, 8:04 AM

For similar reasons, {{UserManager.isRegisteredUser(String username)}} should be deprecated. All but one usages in the existing Openfire code call that by taking the node-part of a JID - often without verification that the domain-part relates to the local domain. This can easily lead to bugs.



Guus der Kinderen


Guus der Kinderen