Add support for Kerberos/NTLM

Description

Add support for Windows Kerberos/NTLM as an authentication method. This would allow true single sign-on support. So far, Pandion is the only client known to have support for this on the client side. Request at:

http://www.jivesoftware.org/forums/thread.jspa?threadID=14636

Environment

None

Attachments

1

Activity

Show:

Jay Kline June 20, 2006 at 2:30 AM

One additonal change, the system properties should not be set in SASLGSSAPIMechanism, they should be set in the application using Smack (eg Spark) to configure where the config file is located.

Jay Kline June 19, 2006 at 3:28 AM

The registerSASLMechanism call in the top comment can be avoided by applying this patch:

Index: /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java
===================================================================
— /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (revision 4007)
+++ /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (working copy)
@@ -27,6 +27,7 @@
import org.jivesoftware.smack.sasl.SASLAnonymous;
import org.jivesoftware.smack.sasl.SASLMechanism;
import org.jivesoftware.smack.sasl.SASLPlainMechanism;
+import org.jivesoftware.smack.sasl.SASLGSSAPIMechanism;

import java.io.IOException;
import java.lang.reflect.Constructor;
@@ -42,7 +43,7 @@

  • fails then Non-SASL will be tried.<p>

  • The server may support many SASL mechanisms to use for authenticating. Out of the box

  • * Smack provides SASL PLAIN but it is possible to register new SASL Mechanisms. Use
    + * Smack provides SASL PLAIN and GSSAPI but it is possible to register new SASL Mechanisms. Use

  • {@link #registerSASLMechanism(int, String, Class)} to add new mechanisms. See

  • {@link SASLMechanism}.<p>

  • @@ -79,7 +80,8 @@


static {
// Register SASL mechanisms supported by Smack

  • registerSASLMechanism(0, "PLAIN", SASLPlainMechanism.class);
    + registerSASLMechanism(0, "GSSAPI", SASLGSSAPIMechanism.class);
    + // registerSASLMechanism(1, "PLAIN", SASLPlainMechanism.class);
    }


/**

Jay Kline June 19, 2006 at 3:25 AM

In order for the GSSAPI mechanism to work, the bugs in the Base64 class of Smack utils needs to be fixed. You can copy the same class from Wildfire and change the package name at the top since the bugs were already fixed there. Should the utils package maybe become "universal" between the different products so only one change needs to be made when bugs are found/fixed?

Jay Kline June 15, 2006 at 8:55 AM

I attached a class that makes it work. Use it like this:

[code]
XMPPConnection connection = new XMPPConnection("jabber.domain.com");
connection.getSASLAuthentication().registerSASLMechanism(0,"GSSAPI",SASLGSSAPIMechanism.class);

connection.login("jay",""); //password gets ignored, but is required
connection.createChat("jay@jabber.domain.com").sendMessage("Howdy!");
/code

You need to have a JASS config file (gss.conf) that looks kinda like this:

[code]
/**

  • Login Configuration for JAAS.
    */

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
};
/code

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

Created June 15, 2006 at 4:14 AM
Updated November 15, 2007 at 12:40 AM
Resolved November 15, 2007 at 12:40 AM