[jdev] sasl error on multiple <auth/>?

Matthew A. Miller linuxwolf at outer-planes.net
Mon Aug 29 21:46:44 UTC 2011

On Aug 29, 2011, at 15:43, Peter Saint-Andre wrote:

> On 8/29/11 11:50 AM, Kim Alvefur wrote:
>> Or act as if the client sent <foobar/>. Ie error and (maybe?) close the stream.
> Well, <foobar/> would result in the <unsupported-stanza-type/>
> condition. Here the <auth/> element is acceptable in general, but not at
> this point in the stream. For stanza errors we have a condition of
> <unexpected-request/> but we don't have that for stream errors. If we
> did, that's what I'd recommend sending. (Although does this really
> warrant closing the stream?)

There is also <policy-violation/>, if <not-authorized/> seems odd.

And I think I would consider a subsequent attempt to authenticate worthy of closing the stream.  It's a re-authorization request, which could very well mean some form of hijacking has taken place.

- m&m

More information about the JDev mailing list