| Project: | XMPP Framework |
| Version: | 6.x-2.0 |
| Component: | XMPP-User |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
The implementation of Drupal I work with runs on an HTTPS site on Apache2. Because of some of the applications that hang off the installation, we need to do authentication through the web server itself. Once we log into the basic pop-up box the webserver_auth module will ensure that all Drupal users are logged in. With the current feature set of the xmppframework, we are not able to have SSO. Instead we had to have each user go to their profile and manually enter in their password. I then noticed that the passwords were being stored within the database in cleartext (see bug about decryption function not working). Since my site is running on 443 (HTTPS) I am fine passing the basic credentials since the traffic itself is encrypted. I made some additions/modifications to the framework that may be useful implementing.
Changes to xmpp_user.admin.inc:
$form['xmpp_user_settings']['xmpp_user_web_authentication'] = array(
'#type' => 'checkbox',
'#title' => t('Authenticate User with WS Credentials'),
'#default_value' => variable_get('xmpp_user_web_authentication', FALSE),
'#description' => t('If checked the system will use the authentication credentials from the web server. Works well with webserver_auth module.'),
);If the box is not checked and a password is not set then it will default to the "Configure client" link within the actual block. If you do have it checked then you will be able to begin chatting.
Changes to xmpp_user.module:
// If nothing re-verify the database table just incase it was missing
if (variable_get('xmpp_user_web_authentication', FALSE)) {
$password = $_SERVER['PHP_AUTH_PW'];
}
else {
$password = db_result(db_query("SELECT password FROM {xmpp_user} WHERE uid = %d", $account->uid));
}When the configuration is verified the user's password will be considered null. Instead of pulling it from the database, I instead choose to pull it from the $_SERVER variables. Once set, I do NOT enter the password into the database and instead have it passed on as is. The benefit here is that there is no longer risk of having the database compromised and losing all accounts (especially important if LDAP is being used).
This is probably not the perfect way to implement this, but it has been tested on my local chatting solution and seems to work without any issues. Please feel free to comment on what you think and if you feel that is a novel addition.
Comments
#1
You should not have to manually add the password, the xmpp_user module is actually designed to retrieve the password the user entered too log into the drupal site if the 'xmpp_user_store_login_password' is set in the xmpp user module configuration. Code for this is below:
<?phpfunction xmpp_user_form_alter(&$form, $form_state, $form_id) {
if (variable_get('xmpp_user_store_login_password', FALSE)) {
switch ($form_id) {
case 'user_login':
case 'user_login_block':
$form['#submit'][] = 'xmpp_user_login_block_submit';
break;
}
}
}
?>
Now if you are not utilizing the user_login or user_login_block functions and are logging in some other way then it will not be able to retrieve the password and assign it into the database so the user does not have to enter the password.
<?php$form['xmpp_user_settings']['xmpp_user_store_login_password'] = array(
'#type' => 'checkbox',
'#title' => t('Store Login password as XMPP Password'),
'#default_value' => variable_get('xmpp_user_store_login_password', FALSE),
'#description' => t('If checked the system will over write the xmpp password stored in the module with the password utilized on login, useful in ldap environment'),
);
?>
This is the code in the xmpp_user.admin.inc file where it will show on the module admin interface for the xmpp user module.
I believe this should solve the issue you were specifying above.
#2
I understand the functionality of that, but it does not suit my needs and may not for others. I do not use the login block as you stated and as a result it is not able to get the password. In my case I use the web server's authentication credentials to forward them to my Drupal instance. The second method where it can't find the password and stores it is not something I want to risk within the organization. That effectively places domain level credentials in a MySQL database. Instead with this method I am able to never store the password, but instead forward the credentials from the web server (the same to log me in) to the XMPPframework and therefore not have the user enter a password at all. It is not so much a feature request as a possible addition to the module.
#3
Brandon, can you then provide the changes you made as a patch against the current CVS head and i will look at implementing them into the branch if they are good. That will get the functionality for SSO into the module.
#4
Attached is the patch for the xmpp_user files in the contrib section.