AnsweredAssumed Answered

EXTERNAL authentication should accept empty or null username/password

Question asked by andrelab on Jan 9, 2015
Latest reply on Jan 13, 2015 by Flow

I tried to authenticate with EXTERNAL mech but I got an IllegalArgumentException due to empty username.

 

Look the code in AbstractXMPPConnection.java:

 

    public void login(String username, String password, String resource) throws XMPPException,

                    SmackException, IOException {

        if (StringUtils.isNullOrEmpty(username)) {

            throw new IllegalArgumentException("Username must not be null or empty");

        }

        usedUsername = username;

        usedPassword = password;

        usedResource = resource;

        loginNonAnonymously(username, password, resource);

    }

 

I think it should allow null usernames. The XEP-0178 says:

 

If the client certificate contains only one JID, then the client MAY include an authorization identity, but only if it desires to be authorized as a JID other than the address in the client certificate; else it MUST NOT include an authorization identity (this is shown in the following example by setting the XML character data of the <auth/> element to "=").

Example 9.

<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' 
     
mechanism='EXTERNAL'>=</auth>

Outcomes