Add support for Kerberos/NTLM

Description

Add support for Windows Kerberos/NTLM as an authentication method. This would allow true single sign-on support. So far, Pandion is the only client known to have support for this on the client side. Request at:

http://www.jivesoftware.org/forums/thread.jspa?threadID=14636

Environment

None

Activity

Show:
Jay Kline
June 20, 2006, 2:30 AM

One additonal change, the system properties should not be set in SASLGSSAPIMechanism, they should be set in the application using Smack (eg Spark) to configure where the config file is located.

Jay Kline
June 19, 2006, 3:28 AM

The registerSASLMechanism call in the top comment can be avoided by applying this patch:

Index: /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java
===================================================================
— /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (revision 4007)
+++ /scratch/svn/jivesoftware/smack/source/org/jivesoftware/smack/SASLAuthentication.java (working copy)
@@ -27,6 +27,7 @@
import org.jivesoftware.smack.sasl.SASLAnonymous;
import org.jivesoftware.smack.sasl.SASLMechanism;
import org.jivesoftware.smack.sasl.SASLPlainMechanism;
+import org.jivesoftware.smack.sasl.SASLGSSAPIMechanism;

import java.io.IOException;
import java.lang.reflect.Constructor;
@@ -42,7 +43,7 @@

  • fails then Non-SASL will be tried.<p>

  • The server may support many SASL mechanisms to use for authenticating. Out of the box

  • * Smack provides SASL PLAIN but it is possible to register new SASL Mechanisms. Use
    + * Smack provides SASL PLAIN and GSSAPI but it is possible to register new SASL Mechanisms. Use

  • {@link #registerSASLMechanism(int, String, Class)} to add new mechanisms. See

  • {@link SASLMechanism}.<p>

  • @@ -79,7 +80,8 @@


static {
// Register SASL mechanisms supported by Smack

  • registerSASLMechanism(0, "PLAIN", SASLPlainMechanism.class);
    + registerSASLMechanism(0, "GSSAPI", SASLGSSAPIMechanism.class);
    + // registerSASLMechanism(1, "PLAIN", SASLPlainMechanism.class);
    }


/**

Jay Kline
June 19, 2006, 3:25 AM

In order for the GSSAPI mechanism to work, the bugs in the Base64 class of Smack utils needs to be fixed. You can copy the same class from Wildfire and change the package name at the top since the bugs were already fixed there. Should the utils package maybe become "universal" between the different products so only one change needs to be made when bugs are found/fixed?

Jay Kline
June 15, 2006, 8:55 AM

I attached a class that makes it work. Use it like this:

[code]
XMPPConnection connection = new XMPPConnection("jabber.domain.com");
connection.getSASLAuthentication().registerSASLMechanism(0,"GSSAPI",SASLGSSAPIMechanism.class);

connection.login("jay",""); //password gets ignored, but is required
connection.createChat("jay@jabber.domain.com").sendMessage("Howdy!");
/code

You need to have a JASS config file (gss.conf) that looks kinda like this:

[code]
/**

  • Login Configuration for JAAS.
    */

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
};
/code

Fixed

Assignee

MattM

Reporter

Gaston Dombiak