openfire源码解读--用户登录

根据xmpp协议

客户端发送：

<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>XXXXXXXXXXXXXXXXXXXXX=</auth>

其中，xmlns是命名空间，mechanism是用户名密码的加密方式，auth 标签的text内容为用户名密码通过PLAIN方式加密的字符串。

服务端接收：

　　通过ConnectionHandler类的messageReceived方法接收，process中处理

     else if ("auth".equals(tag)) {
            // User is trying to authenticate using SASL
            startedSASL = true;
            // Process authentication stanza
            saslStatus = SASLAuthentication.handle(session, doc);
        }

　　判断xml标签为auth时进行登录验证。

　　下面来看SASLAuthentication的处理

　　首先判断加密方式，然后解密，通过下面这个方法来验证登录。

final byte[] challenge = saslServer.evaluateResponse( decoded ); // Either a challenge or success data.

　　根据加密方式不同，验证处理方法不同。PLAIN加密的，那就看SaslServerPlainImpl中是怎么实现的。

	NameCallback ncb = new NameCallback("PLAIN authentication ID: ",principal);
	VerifyPasswordCallback vpcb = new VerifyPasswordCallback(password.toCharArray());
	cbh.handle(new Callback[]{ncb,vpcb});
	
	if (vpcb.getVerified()) {
		vpcb.clearPassword();
		AuthorizeCallback acb = new AuthorizeCallback(principal,username);
		cbh.handle(new Callback[]{acb});
		if(acb.isAuthorized()) {
			username = acb.getAuthorizedID();
			completed = true;
		} else {
			completed = true;
			username = null;
			throw new SaslException("PLAIN: user not authorized: "+principal);
		}
	} else {
		throw new SaslException("PLAIN: user not authorized: "+principal);
	}

　　可以看到openfire是通过callback来验证的，而且还进行了2层验证。第一次是验证用户名密码，第二次是加载用户信息

（自己有需要修改源码时，这里就可以优化了，第一步登录验证时就可以获取用户信息了，没必要重新查询一次）。

　　callback是通过XMPPCallbackHandler实现的。

for (Callback callback : callbacks) {

            if (callback instanceof RealmCallback) {

                ((RealmCallback) callback).setText( XMPPServer.getInstance().getServerInfo().getXMPPDomain() );

            }

            else if (callback instanceof NameCallback) {

                name = ((NameCallback) callback).getName();

                if (name == null) {

                    name = ((NameCallback) callback).getDefaultName();

                }

                //Log.debug("XMPPCallbackHandler: NameCallback: " + name);

            }

            else if (callback instanceof PasswordCallback) {

                try {

                    // Get the password from the UserProvider. Some UserProviders may not support

                    // this operation

                    ((PasswordCallback) callback)

                            .setPassword(AuthFactory.getPassword(name).toCharArray());



                    //Log.debug("XMPPCallbackHandler: PasswordCallback");

                }

                catch (UserNotFoundException | UnsupportedOperationException e) {

                    throw new IOException(e.toString());

                }



            }

            else if (callback instanceof VerifyPasswordCallback) {

                //Log.debug("XMPPCallbackHandler: VerifyPasswordCallback");

                VerifyPasswordCallback vpcb = (VerifyPasswordCallback) callback;

                try {

                    AuthToken at = AuthFactory.authenticate(name, new String(vpcb.getPassword()));

                    vpcb.setVerified((at != null));

                }

                catch (Exception e) {

                    vpcb.setVerified(false);

                }

            }

            else if (callback instanceof AuthorizeCallback) {

                //Log.debug("XMPPCallbackHandler: AuthorizeCallback");

                AuthorizeCallback authCallback = ((AuthorizeCallback) callback);

                // Principal that authenticated

                String principal = authCallback.getAuthenticationID();

                // Username requested (not full JID)

                String username = authCallback.getAuthorizationID();

                // Remove any REALM from the username. This is optional in the spec and it may cause

                // a lot of users to fail to log in if their clients is sending an incorrect value

                if (username != null && username.contains("@")) {

                    username = username.substring(0, username.lastIndexOf("@"));

                }

                if (principal.equals(username)) {

                    //client perhaps made no request, get default username

                    username = AuthorizationManager.map(principal);

                    if (Log.isDebugEnabled()) {

                        //Log.debug("XMPPCallbackHandler: no username requested, using " + username);

                    }

                }

                if (AuthorizationManager.authorize(username, principal)) {

                    if (Log.isDebugEnabled()) {

                        //Log.debug("XMPPCallbackHandler: " + principal + " authorized to " + username);

                    }

                    authCallback.setAuthorized(true);

                    authCallback.setAuthorizedID(username);

                }

                else {

                    if (Log.isDebugEnabled()) {

                        //Log.debug("XMPPCallbackHandler: " + principal + " not authorized to " + username);

                    }

                    authCallback.setAuthorized(false);

                }

            }

　　第一次验证用户名密码是通过 AuthToken at = AuthFactory.authenticate(name, new String(vpcb.getPassword()));验证的

根据数据库配置provider.auth.className的类实现登录验证。

第二次验证AuthorizationManager.authorize(username, principal)会加载用户信息。
2次验证通过就会返回客户端 <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/> 表示登录成功。