SASL Authentication
mikezzz Mar 14, 2007 10:40 AMHi,
Over at http://www.buni.org we need to implement SASL authentication for our IMAP support. We need it to integrate with the JBoss implementation of JAAS. Therefore I have placed a patch for SASL Authentication in the security JIRA project (against the 4.0 branch): http://jira.jboss.com/jira/browse/SECURITY-36
Currently it only supports CRAM-MD5 (DIGEST-MD5 should only be matter of extending the configuration and GSSAPI might require a bit more thought) and doesn't support initial response yet.
I do have commit access so if you are happy with this code, let me know if you like me to add this. It would be useful for us if we could get this into the next stable release.
How to use the SASL authentication:
The SASL support is an extension to the UsernamePasswordLoginModule so it is available for all authentication repositories (e.g. Database, LDAP, etc.). To enable it add the following configuration:
<authentication> <login-module code = "..." flag = "sufficient"> <module-option name = "sasl.enabled">true</module-option> <module-option name = "sasl.encoding">base64</module-option> <module-option name = "sasl.hostname">localhost</module-option> <module-option name = "sasl.mechanism">CRAM-MD5</module-option> </login-module> </authentication>
Client code then needs to pass the challenge/response data as base64 encoded strings using the TextInputCallback/TextOutputCallback. Also should handle the NameCallback to get username of the client trying to authenticate.
CallbackHandler ch = new CallbackHandler() { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int idx = 0; idx < callbacks.length; idx++) { Callback cb = callbacks[idx]; if (cb instanceof NameCallback) { NameCallback nc = (NameCallback) cb; } else if (cb instanceof TextInputCallback) { TextInputCallback tic = (TextInputCallback) cb; byte[] response = receive(); // Gets the response String s = Base64.encodeBytes(response); tic.setText(s); } else if (cb instanceof TextOutputCallback) { TextOutputCallback toc = (TextOutputCallback) cb; String s = toc.getMessage(); byte[] challenge = Base64.decode(s); send(challenge); // Send the challenge to the client } } } }; LoginContent lc = new LoginContent("...", ch); lc.login();
For more information check the SaslLoginTestCase.