Don't set SASL authid parameter to username (SMACK-371)

RFC4616 states that if the authorization identity (authzid) parameter is null, then it is derived from the authentication identity (authcid). Smack currently sets both, authzid and authcid, to the username, resulting in auth attempts of userid\0userid\0password instead of userid\0password Which are different users on most systems (e.g. Kerberos). We now set only SASLMechanism.authenticationId to username. The authenticate(String, CallbackHandler) method does now not longer receive the username, as it's send by the CallbackHandler.
2025-09-10 17:49:38 +02:00 · 2014-03-02 14:21:21 +01:00 · 2014-03-02 14:21:21 +01:00 · a7ec0338bc
commit a7ec0338bc
parent f7fc38e1f4
5 changed files with 9 additions and 13 deletions
--- a/bosh/src/main/java/org/jivesoftware/smack/BOSHConnection.java
+++ b/bosh/src/main/java/org/jivesoftware/smack/BOSHConnection.java
@ -313,7 +313,7 @@ public class BOSHConnection extends Connection {
            if (password != null) {
                response = saslAuthentication.authenticate(username, password, resource);
            } else {
-                response = saslAuthentication.authenticate(username, resource, config.getCallbackHandler());
+                response = saslAuthentication.authenticate(resource, config.getCallbackHandler());
            }
        } else {
            throw new XMPPException("No non-anonymous SASL authentication mechanism available");