[jdev] sasl error on multiple <auth/>?

Alexander Holler holler at ahsoftware.de
Thu Aug 25 14:57:48 UTC 2011


I have a similiar question as the one before. ;)

What should a server do when he receives an <auth/> after a successfull 

RFC 6120 6.4.2 only defines what happens when the authentication isn't 
completed but not what happens when the authentication was completed.

Maybe a <failure/> with <malformed-request/>. Or should the server 
proceed and throw away the authentication done before?

It's easy to fool clients into doing that, just announce <mechanisms/> 
in <features/> when the stream got restarted after successfull 
authentication. That itself isn't the correct thing to do, but happens. ;)



More information about the JDev mailing list