[jdev] sasl error on multiple <auth/>?
Matthew A. Miller
linuxwolf at outer-planes.net
Mon Aug 29 21:46:44 UTC 2011
On Aug 29, 2011, at 15:43, Peter Saint-Andre wrote:
> On 8/29/11 11:50 AM, Kim Alvefur wrote:
>> Or act as if the client sent <foobar/>. Ie error and (maybe?) close the stream.
>
> Well, <foobar/> would result in the <unsupported-stanza-type/>
> condition. Here the <auth/> element is acceptable in general, but not at
> this point in the stream. For stanza errors we have a condition of
> <unexpected-request/> but we don't have that for stream errors. If we
> did, that's what I'd recommend sending. (Although does this really
> warrant closing the stream?)
>
There is also <policy-violation/>, if <not-authorized/> seems odd.
And I think I would consider a subsequent attempt to authenticate worthy of closing the stream. It's a re-authorization request, which could very well mean some form of hijacking has taken place.
- m&m
<http://goo.gl/voEzk>
More information about the JDev
mailing list