StaticPassword Problem

[rdfield]

I'm using the standard demo.conf file, with DJabberd::RosterStorage::SQLite commented out, and DJabberd::RosterStorage::InMemoryOnly uncommented.

The HTML file I am using is (other than the usual chrome):

<script>
var conn = new Strophe.Connection("http://192.168.1.150/http-bind/");
conn.connect("admin@192.168.1.150/random_res_id", "secret", function (status)     {
if (status === Strophe.Status.CONNECTED) {
   alert("Connected");
}});
</script>

According to my understanding of the demo config file only users "partya" and "partyb" should be able to connect, but the current config allows any user in if the supplied password matches the one defined for DJabberd::Authen::StaticPassword. I have checked the djabberd log file and the expected output ("denying, unless allowed:") from DJabberd::Authen::AllowedUsers isn't there.

[alexmv]

I just looked into this a bit. This is because multiple auth schemes don't play well with each other; the StaticPassword hooks GetPassword, which means that DJabberd::IQ never gets to checking the CheckClearText hook where AllowedUsers hooked in.

The right fix is to split Auth (like StaticPassword) from Authz (like AllowedUsers); then, ideally, make auth checks be allowed to accept, reject, or decline, and stop on the first accept or reject -- and make authz handlers be able to accept or reject, and any reject bails out with an auth fail.