Tigase5.2: SASL auth request becomes NonSASL

Igor Khomenko
Added almost 5 years ago

Hi there, I'm updating our XMPP Chat server from Tigase 5.1beta to 5.2 and have some issues with Custom Auth connector.

We use tigase-custom

I see that it was lots of updates for tigase.auth package as it has now more classes, more packages inside.

And I'm totally don't understand how SASL PLAIN auth works in Tigase5.2

Here is log how client tries auth:

SEND: <?xml version='1.0'?>
SEND: <stream:stream xmlns='jabber:client' xmlns:stream='' version='1.0' to='localhost'>
RECV: <stream:stream xmlns="jabber:client" xmlns:stream="" from="localhost" id="4843d50d-1e8f-433d-9861-aa232d1145ed" version="1.0" stream1:lang="en"/>
RECV: <stream:features xmlns:stream=""><ver xmlns="urn:xmpp:features:rosterver"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><compression xmlns=""><method>zlib</method></compression><auth xmlns=""/></stream:features>
SEND: <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">ADk4MDYzMi05MgBuZXd0aWdhc2U=</auth>

As you can see, we try to use SASL PLAIN mechanism

This is stacktrace how Tigase5.2 handles this packet:

at tigase.db.jdbc.TigaseCustomAuth.otherAuth(
at tigase.db.AuthRepositoryMDImpl.otherAuth(
at tigase.auth.impl.AuthRepoPlainCallbackHandler.handleVerifyPasswordCallback(
at tigase.auth.impl.AuthRepoPlainCallbackHandler.handleCallback(
at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(
at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(
at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(
at tigase.xmpp.impl.SaslAuth.process(
at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(

I print this stacktrace inside tigase.db.jdbc.TigaseCustomAuth.otherAuth method

And next, I print props attribute of this method:

{protocol=nonsasl, realm=localhost, user-id=980632-92@localhost, server-name=localhost, password=newtigase}

I don't understand why protocol=nonsasl is here. I tried to find where this happens and found method tigase.auth.impl.AuthRepoPlainCallbackHandler.handleVerifyPasswordCallback, where we can see next code:

Map<String, Object> map = new HashMap<String, Object>();

map.put(AuthRepository.PROTOCOL_KEY, AuthRepository.PROTOCOL_VAL_NONSASL);
map.put(AuthRepository.USER_ID_KEY, jid);
map.put(AuthRepository.PASSWORD_KEY, passwd);
map.put(AuthRepository.REALM_KEY, jid.getDomain());
map.put(AuthRepository.SERVER_NAME_KEY, jid.getDomain());

Could you please explain why you set PROTOCOL_VAL_NONSASL here.

Right now I'm not sure that I can use Custom Auth connector with Tigase5.2, I'm not sure that any connectors from tigase.db.jdbc work


Replies (3)


Added by Artur Hefczyc TigaseTeam almost 5 years ago

Did you actually try to use the Tigase server version 5.2.0? Have you had any particular problems with user logging in? What kind of errors did you receive? Or this is just your code review concerns?

If you use custom authentication connector and specified your own SQL queries for user login then all the code changes in our last Tigase version should be transparent to you and everything should just work.


Added by Bartosz Małkowski TigaseTeam almost 5 years ago

PROTOCOL_VAL_NONSASL is workariound to force using given username:password (USER_ID_KEY,PASSWORD_KEY) instead of parsing (here: "ADk4MDYzMi05MgBuZXd0aWdhc2U=").

We are making changes in API slowly as you can see. We added customizable SASL stuff to make easy way to implement your own SASL authentication. But default SASL implementation internally uses methods created for non-sasl auth.

Added by Igor Khomenko almost 5 years ago

Thanks Artur and Bartosz,

But default SASL implementation internally uses methods created for non-sasl auth.

This is useful information

what I would like to confirm is the next, look at tigase.db.jdbc.TigaseCustomAuth.otherAuth method

In 5.1 it goes inside these 2 if, to saslPlainAuth method:

    if (proto.equals(PROTOCOL_VAL_SASL)) {
        String mech = (String) props.get(MACHANISM_KEY);

        if (mech.equals("PLAIN")) {
            try {
                if (saslPlainAuth(props)) {

But in 5.2 it skips this if and goes to next nonsasl if, to plainAuth method

if (proto.equals(PROTOCOL_VAL_NONSASL)) {
    String password = (String) props.get(PASSWORD_KEY);
    BareJID user_id = (BareJID) props.get(USER_ID_KEY);
    if (password != null) {
        return plainAuth(user_id, password);

And this is the main problem in this situation.

For me these 2 ways are different because they have different implementation.

Looks like in this particular situation I need to customise a bit plainAuth method cause our DB stores password in own format.