[jdev] XMPP "APIs"

Justin Karneges justin at affinix.com
Sun Jan 13 08:47:23 UTC 2013

On Saturday, January 12, 2013 01:03:59 PM Jonas Wielicki wrote:
> It seems just natural to me to use XMPP for that purpose, however, I'm a
> bit cautious with just accepting the XMPP servers authentication. I know
> that I'm pretty safe when I'm doing that between my own servers running
> on the same machine, but from outwards I could easily be MITM'd.

Good point. I think this problem can be mostly solved with TLS and s2s. My 
plan, which I have not yet implemented, is to allow setting a "TLS required" 
flag on any whitelisted JID. The XMPP server itself would not enforce TLS, and 
instead negotiate it opportunistically, but I'd need to hack it to tell my 
server app whether an incoming stanza arrived from a TLS-protected stream or 
not, so that my server app could make the choice of whether to accept or 

> In another project, we thought about using XMPP for a website commenting
> service. We didn't come to a coherent design though, mainly as one has
> to consider that not everyone has s2s-capable XMPP (which would require
> an HTTP alternative) and that most XMPP clients are not made to create
> longer comments.

True, it's a steep requirement to insist that someone have an XMPP server in 
order to access your service. I think whether you can get away with this or 
not depends on the nature of your service. If it's sufficiently advanced, like 
say, Buddycloud federation, then I think people can accept it as the rules of 
the game. But if it's just CRUD stuff that you want people to be able to whip 
up simple apps for, then you pretty much have to offer HTTP at minimum.


More information about the JDev mailing list