Project

General

Profile

Error Code 401 type ="auth" not-authorized while trying to create a new user (using SMACK AccountManager API)

Girish Prabhu
Added over 4 years ago

I am trying to create a new user into my Tigase running on localhost. My java client is using SMACK 4.0.0 and the AccountManager class (snippet pasted below).

  1. I am logging in as 'admin' through the SMACK client, and yes, I am able to connect to the Tigase correctly, and also send messages, so the basic set up is fine.

  2. Note that my server does not have any certis, so I have switched off 'secure connections' on my SMACK client. [ wondering if this could be the issue for getting the 401, not authorized, does tigase not allow create user over in-secure connections? ]

  3. When I run the create user account, I get the 401 Not-Authorized error. I have pasted the logs from the server below for reference, note HOST is the name of my laptop running the server and I am running the client code on the same machine.

Question:

  1. Is there a setting issue here?. I mean, why is it throwing a 410 Not-Authorized?. I am admin logging in to the server, but I don't have SSL/TLS installed and connecting on 5222/insecure.

I tried using TCLMT...but that's not even able to connect to the server properly.

2014-07-01 01:20:17.247 [in_2-c2s]         ConnectionManager.writePacketToSocket()  FINEST: c2s@+HOST+/127.0.0.1_5222_127.0.0.1_56162, type: accept, Socket: c2s@HOST/127.0.0.1_5222_127.0.0.1_56162 Socket[addr=/127.0.0.1,port=56162,localport=5222], jid: admin@HOST/Smack, Writing packet: from=sess-man@HOST, to=c2s@HOST/127.0.0.1_5222_127.0.0.1_56162, DATA=<iq from="HOST to="admin@HOST/Smack" type="error" xmlns="jabber:client" id="Y5FKH-4"><query xmlns="jabber:iq:register"><password>password</password><email>gpm1@gpm.com</email><username>gpm1</username></query>*<error code="401" type="auth"><not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/><text xml:lang="en" xmlns="urn:ietf:params:xml:ns:xmpp-stanzas">Unsuccessful registration attempt</text></error></iq>, SIZE=441, XMLNS=jabber:client, PRIORITY=NORMAL, PERMISSION=ADMIN, TYPE=error*
2014-07-01 01:20:17.252 [pool-16-thread-14]  ClientConnectionManager.xmppStreamClosed()  FINER: Stream closed: c2s@gprabhu-mba.local/127.0.0.1_5222_127.0.0.1_56162
             config.setSecurityMode(ConnectionConfiguration.SecurityMode.disabled);
           //Have disabled secure connections because I have not installed the certs..etc.

            HashMap<String, String> attrs = new HashMap<String, String>();
            attrs.put("username", username);
            attrs.put("password", password);
            attrs.put("email", email);

            //Using org.jivesoftware.smack.AccountManager here.
            this.accountManager.createAccount(username, password, attrs);

Replies (15)

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

The error comes from the server because you try to register a new account on a connection which is already authenticated (you logged in as admin on this connection). The account registration is possible only before login data are sent to the server.

Added by Girish Prabhu over 4 years ago

Thanks Artur.

Probably a dumb question, but if I don't connect as 'admin' or someone who has the permissions to 'create new users' in the system, then how would you allow such operations ?

I'd like to figure out a way to create new users! I have pasted it below for reference. But, most important is for me to be able to create users! I only have ADMIN now! :- )

-g

bin/tclmt.sh -u admin -p -ip localhost remote sess-man add-user gpm1 abc123 gpm1@gpm.com

Jul 02, 2014 9:29:20 AM tigase.xml.db.XMLDB setupNewDB

INFO: Create empty DB.

awaiting response...

tigase.jaxmpp.core.client.exceptions.JaxmppException: Not connected!

at tigase.jaxmpp.core.client.JaxmppCore$1.write(JaxmppCore.java:143)

at tigase.jaxmpp.core.client.JaxmppCore$1.write(JaxmppCore.java:164)

at tigase.jaxmpp.core.client.JaxmppCore.send(JaxmppCore.java:413)

at tigase.tclmt.JaxmppConnection.sendSync(JaxmppConnection.java:45)

at tigase.tclmt.JaxmppConnection.sendSync(JaxmppConnection.java:39)

at tigase.tclmt.SynchronizedConnection$sendSync.call(Unknown Source)

at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)

at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)

at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)

at Script1.run(Script1.groovy:51)

at org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:315)

at org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)

at tigase.tclmt.Script.execute(Script.java:94)

at tigase.tclmt.CommandManager.executeScript(CommandManager.java:72)

at tigase.tclmt.Tclmt.execute(Tclmt.java:178)

at tigase.tclmt.Tclmt.main(Tclmt.java:226)

Added by Girish Prabhu over 4 years ago

Okay, I was able to add a new user (per Artur's answer, I had to simply connect and send the create user request, without signing in as admin). So, that's working now through SMACK.

How do I protect this feature so that the connection is authorized? . Probably some security settings/process? Thanks in advance for the info!

-g

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Probably a dumb question, but if I don't connect as 'admin' or someone who has the permissions to 'create new users' in the system, then how would you allow such operations ?

The point behind in-band registration protocol is that anybody can register account on the server. No additional permission is necessary. It is designed for public services where everybody is encouraged to create an account and use it.

Tigase automatically creates self-signed certificate and enables TLS by default. So you can use secure connection from your client already.

bin/tclmt.sh -u admin -p -ip localhost remote sess-man add-user gpm1 abc123 gpm1@gpm.com

Jul 02, 2014 9:29:20 AM tigase.xml.db.XMLDB setupNewDB

INFO: Create empty DB.

awaiting response...

tigase.jaxmpp.core.client.exceptions.JaxmppException: Not connected!

Are you sure the localhost is the right address for your Tigase server? Can you see any connections attempt in the Tigase logs when you execute the TCLMT command?

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

How do I protect this feature so that the connection is authorized? . Probably some security settings/process? Thanks in advance for the info!

If you do not want an open access for accounts registration on your server than you have to disable in-band registration on your server and then you can create accounts through admin ad-hoc commands as you tried above using tclmt command.

Added by Girish Prabhu over 4 years ago

Yes, I can disable it on the server. However, I am just not able to get the TCLMT working! It has the same error as I pasted above. "Not Connected". What could I be missing?.. Thanks!

bin/tclmt.sh -u admin -p tigase -ip localhost remote sess-man add-user gpm1 abc123 gpm1@gpm.com
Jul 04, 2014 12:59:09 AM tigase.xml.db.XMLDB setupNewDB
INFO: Create empty DB.
awaiting response...
tigase.jaxmpp.core.client.exceptions.JaxmppException: Not connected!
    at tigase.jaxmpp.core.client.JaxmppCore$1.write(JaxmppCore.java:143)
    at tigase.jaxmpp.core.client.JaxmppCore$1.write(JaxmppCore.java:164)
    at tigase.jaxmpp.core.client.JaxmppCore.send(JaxmppCore.java:413)
    at tigase.tclmt.JaxmppConnection.sendSync(JaxmppConnection.java:45)
    at tigase.tclmt.JaxmppConnection.sendSync(JaxmppConnection.java:39)
    at tigase.tclmt.SynchronizedConnection$sendSync.call(Unknown Source)
    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
    at Script1.run(Script1.groovy:51)
    at org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:315)
    at org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)
    at tigase.tclmt.Script.execute(Script.java:94)
    at tigase.tclmt.CommandManager.executeScript(CommandManager.java:72)
    at tigase.tclmt.Tclmt.execute(Tclmt.java:178)
    at tigase.tclmt.Tclmt.main(Tclmt.java:226)

Added by Wojciech Kapcia TigaseTeam over 4 years ago

Please try running tcmlt with -debug parameter and share the output. Also - insead of using -ip for specifying machine please use -s parameter.

Added by Girish Prabhu over 4 years ago

Ok, so I ran it with -debug parameter and also changed the -ip to -s as you suggested. It still have the same issue. . Just FYI, I am using tclmt-1.0.0-SNAPSHOT/

$ bin/tclmt.sh -debug -u admin -p tigase -s localhost remote sess-man add-user gpm10 abc123 gpm10@gpm.com
Jul 11, 2014 8:30:27 PM tigase.xml.db.XMLDB setupNewDB
INFO: Create empty DB.
awaiting response...
tigase.jaxmpp.core.client.exceptions.JaxmppException: Not connected!
    at tigase.jaxmpp.core.client.JaxmppCore$1.write(JaxmppCore.java:143)
    at tigase.jaxmpp.core.client.JaxmppCore$1.write(JaxmppCore.java:164)
    at tigase.jaxmpp.core.client.JaxmppCore.send(JaxmppCore.java:413)
    at tigase.tclmt.JaxmppConnection.sendSync(JaxmppConnection.java:45)
    at tigase.tclmt.JaxmppConnection.sendSync(JaxmppConnection.java:39)
    at tigase.tclmt.SynchronizedConnection$sendSync.call(Unknown Source)
    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
    at Script1.run(Script1.groovy:51)
    at org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:315)
    at org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledScript.java:41)
    at tigase.tclmt.Script.execute(Script.java:94)
    at tigase.tclmt.CommandManager.executeScript(CommandManager.java:72)
    at tigase.tclmt.Tclmt.execute(Tclmt.java:178)
    at tigase.tclmt.Tclmt.main(Tclmt.java:226)

Mine is a simple installation, does this command line tool work?. Could one of you pls send the right usage and output?

-g

Added by Girish Prabhu over 4 years ago

So, here's what I am really trying to do, and looking for help.

  1. I need to create users programmatically from another java application - the application will be running on the same network as the xmpp server.

  2. In the default installation, anyone in the public can connect to the server and create users! - I don't want this behavior, and need to DISABLE the account creation from outside. Could one of you please send me information on how to do this correctly?

I know this is all open source...but it would be great to have some simple documentation for things beyond installation, I mean most common things like creating users...etc. Its' pretty painful to get this simple information without searching to find old syntax ...etc. Anyways, your help is appreciated. Thanks!

-g

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Girish Prabhu wrote:

So, here's what I am really trying to do, and looking for help.

  1. I need to create users programmatically from another java application - the application will be running on the same network as the xmpp server.

Using TCLMT as suggested above, however you have a mistake in your call. A correct call looks like this:

bin/tclmt.sh -u admin@gpm.com -p tigase -ip 127.0.0.1 add-user gpm1@gmp.com abc123 gpm1@gmail.com

Note, the actual username is a user JID as indicated in the documentation on the wiki page.

  1. In the default installation, anyone in the public can connect to the server and create users! - I don't want this behavior, and need to DISABLE the account creation from outside. Could one of you please send me information on how to do this correctly?

There are many ways and everything is documented already:

  1. Globally disable registration for all virtual hosts

  2. Disable registration plugin

  3. You can also disable/enable registration for a single virtual host

I know this is all open source...but it would be great to have some simple documentation for things beyond installation, I mean most common things like creating users...etc. Its' pretty painful to get this simple information without searching to find old syntax ...etc. Anyways, your help is appreciated. Thanks!

As you see everything is there. Documented beyond installation.

Added by Girish Prabhu over 4 years ago

Thanks for the information, Artur. I am still not able to get the TCLMT working. S

So, I looked at the server logs while running the script (as per your suggested syntax). I see that there is a SEVER TLS related exception thrown on the server and the client is then seeing a 'Not connected' exception. In the server logs I see the exception (pasted below). I am assuming tclmt is trying to connect to 5222 (but the server for some reason is throwing TLS exception)

Also, note that I have generated self-signed cert for the server and have installed it as per the instructions in : http://www.tigase.org/content/server-certificate-using-keytool-and-keystore and have added the following lines into init.properties

c2s/connections/tls/keys-store = certs/rsa-keystore
c2s/connections/tls/keys-store-password = <key store password>
c2s/connections/tls/def-cert-alias = gprabhu.mba-local

but....NO LUCK yet! Pls see exception below:

2014-07-20 23:37:18.240 [in_2-c2s]         ClientConnectionManager.processCommand()  FINER: Starting TLS for connection: c2s@gprabhu-mba.local/127.0.0.1_5222_127.0.0.1_55969, type: accept, Socket: c2s@gprabhu-mba.local/127.0.0.1_5222_127.0.0.1_55969 Socket[addr=/127.0.0.1,port=55969,localport=5222], jid: null
2014-07-20 23:37:18.298 [in_2-c2s]         SSLContextContainer.getSSLContext()  SEVERE: Can not initialize SSLContext for domain: gprabhu-mba.local, protocol: TLS
java.security.cert.CertificateException: Issuer class type invalid.
    at sun.security.x509.X509CertInfo.setIssuer(X509CertInfo.java:860)
    at sun.security.x509.X509CertInfo.set(X509CertInfo.java:403)
    at tigase.cert.CertificateUtil.createSelfSignedCertificate(CertificateUtil.java:237)
    at tigase.io.SSLContextContainer.getSSLContext(SSLContextContainer.java:325)
    at tigase.io.SSLContextContainer.getSSLContext(SSLContextContainer.java:272)
    at tigase.io.TLSUtil.getSSLContext(TLSUtil.java:121)
    at tigase.net.IOService.startTLS(IOService.java:435)
    at tigase.server.xmppclient.ClientConnectionManager.processCommand(ClientConnectionManager.java:888)
    at tigase.server.xmppclient.ClientConnectionManager.processPacket(ClientConnectionManager.java:156)
    at tigase.server.AbstractMessageReceiver$QueueListener.run(AbstractMessageReceiver.java:1475)
2014-07-20 23:37:18.299 [in_2-c2s]         ClientConnectionManager.processCommand()  WARNING: Error starting TLS: {0}
java.lang.NullPointerException
    at tigase.io.TLSWrapper.<init>(TLSWrapper.java:165)
    at tigase.net.IOService.startTLS(IOService.java:438)
    at tigase.server.xmppclient.ClientConnectionManager.processCommand(ClientConnectionManager.java:888)
    at tigase.server.xmppclient.ClientConnectionManager.processPacket(ClientConnectionManager.java:156)
    at tigase.server.AbstractMessageReceiver$QueueListener.run(AbstractMessageReceiver.java:1475)
2014-07-20 23:37:18.299 [in_2-c2s]         ConnectionManager.serviceStopped()  FINER:   [[c2s]] Connection stopped: c2s@gprabhu-mba.local/127.0.0.1_5222_127.0.0.1_55969, type: accept, Socket: c2s@gprabhu-mba.local/127.0.0.1_5222_127.0.0.1_55969 Socket[addr=/127.0.0.1,port=55969,localport=5222], jid: null
Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Girish Prabhu wrote:

Thanks for the information, Artur. I am still not able to get the TCLMT working. S

So, I looked at the server logs while running the script (as per your suggested syntax). I see that there is a SEVER TLS related exception thrown on the server and the client is then seeing a 'Not connected' exception. In the server logs I see the exception (pasted below). I am assuming tclmt is trying to connect to 5222 (but the server for some reason is throwing TLS exception)

Also, note that I have generated self-signed cert for the server and have installed it as per the instructions in : http://www.tigase.org/content/server-certificate-using-keytool-and-keystore and have added the following lines into init.properties

c2s/connections/tls/keys-store = certs/rsa-keystore

c2s/connections/tls/keys-store-password =

c2s/connections/tls/def-cert-alias = gprabhu.mba-local

but....NO LUCK yet! Pls see exception below:

It turns out the documentation is not really up to date. We have simplified things in Tigase a lot, since publishing this document.

Tigase now supports popular pem files for storing SSL certificates, it also automatically generates self-signed certificate if one is missing for your domain. So my suggestion is following:

  1. Remove above lines from your config file

  2. Remove your self-signed certificate

  3. restart Tigase server and try to connect to your domain

  4. Tigase should automatically generate self-signed certificate for your domain (which version of Tigase do you use?) - make sure there are no exceptions or any errors during communication

  5. Check if you can connect with tclmt tool or any other XMPP client

  6. Then lookup the new generated certificate in certs/ folder

  7. Replace the pem file with pem file with your own self-signed certificate. Here you have instruction how to prepare a pem file which can be loaded by Tigase: http://www.tigase.org/content/creating-and-loading-server-certificate-pem-files

Added by Girish Prabhu over 4 years ago

The version is tigase-server-5.2.0-b3447

I will try it...but I didnt have any of these settings and I was able to

connect on 5222, but as soon as I started using TCLMT to connect and

add-users, I started seeing TLS Severe exceptions. So, presumably I was

on the auto generated certificate, but tclmt seems to connect to secure

port or something, not sure.

fyi I am using tclmt-1.0.0-SNAPSHOT

-g

On Mon, Jul 21, 2014 at 11:19 PM, support@tigase.org wrote:

https://projects.tigase.org/boards/15/topics/2552?r=2746#message-2746

Artur Hefczyc

Girish Prabhu wrote:

Thanks for the information, Artur. I am still not able to get the TCLMT

working. S

So, I looked at the server logs while running the script (as per your

suggested syntax). I see that there is a SEVER TLS related exception thrown

on the server and the client is then seeing a 'Not connected' exception. In

the server logs I see the exception (pasted below). I am assuming tclmt is

trying to connect to 5222 (but the server for some reason is throwing TLS

exception)

Also, note that I have generated self-signed cert for the server and

have installed it as per the instructions in :

http://www.tigase.org/content/server-certificate-using-keytool-and-keystore

and have added the following lines into init.properties

c2s/connections/tls/keys-store = certs/rsa-keystore

c2s/connections/tls/keys-store-password =

c2s/connections/tls/def-cert-alias = gprabhu.mba-local

but....NO LUCK yet! Pls see exception below:

It turns out the documentation is not really up to date. We have

simplified things in Tigase a lot, since publishing this document.

Tigase now supports popular pem files for storing SSL certificates, it

also automatically generates self-signed certificate if one is missing for

your domain. So my suggestion is following:

Remove above lines from your config file

Remove your self-signed certificate

restart Tigase server and try to connect to your domain

Tigase should automatically generate self-signed certificate for your

domain (which version of Tigase do you use?) - make sure there are no

exceptions or any errors during communication

Check if you can connect with tclmt tool or any other XMPP client

Then lookup the new generated certificate in certs/ folder

Replace the pem file with pem file with your own self-signed

certificate. Here you have instruction how to prepare a pem file which

can be loaded by Tigase:

http://www.tigase.org/content/creating-and-loading-server-certificate-pem-files

--

You have received this notification because you have either subscribed to

it, or are involved in it.

To change your notification preferences, please click here:

https://projects.tigase.org/my/account

Added by rushikesh deshpande about 4 years ago

I also have the same issue

Added by Abhinav Gupta over 3 years ago

@ Girish Prabhu.

I am facing the same issue, which is by the way is resolved by your suggestion of writing the command fully like below,

Using TCLMT as suggested above, however you have a mistake in your call. A correct call looks like this:

bin/tclmt.sh -u admin@gpm.com -p tigase -ip 127.0.0.1 add-user gpm1@gmp.com abc123 gpm1@gmail.com

what i did before doing this is copied the Jaxmpp jar files (core and j2se) to jars folder inside tclmt script folder.

My question is whether adding the ip address solved the issue or copying the jar files did.

    (1-15/15)