May 8, 2008 2:41 AM
Fastpath fails with Anonym login disabled
-
Like (0)
16275 Views
34 Replies
Latest reply:
Aug 27, 2008 12:45 PM by
wroot 
-
Fastpath is an anonymous login. The user is not required to have an account on the server. You can make this a requirement in the setting s of fastpath (see attachment). You would likely need to add a field for password to make this work.
Attachments:-
ScreenShot018.jpg (121.2 K)
-
Thank you for very fast answer
I think, you don't undestand me. I need to work fastpath + webchat. And webchat must be open for everybody. But is a bad idea open anonymous login overall (it is not secure, I not like spammers in any way
). But, in other side, we can open anonymous login for webchat server only, it's will be secure (in any case fastpath will redirect all communication through webchat only to special groups, which not interested for bad guys). If web auth limited, guest can't communicate by webchat, which not acceptable
So, if we limited anonymous access to only some IPs, we can create communication for guests by webchat, but communications through direct connection to jabber server still limited.
PS. Sorry for my english...
-
-
> I'm almost sure that i have Anonymous login disabled at my production server and Fastpath was starting fine for me.
How you do that? When anonymous login disabled, fastpath+webchat stop working
>Have you checked IP restriction option on the same page ( Registration Settings)? I'm not sure how this will affect webchat users.
I will try to explain a bit more.
At the first: I wish use OpenFire as corporate jabber server (registration very restricted) for internal communication. My colleagues work in different cities and I can't limit access to jabber server by firewall. And I need some support for customers. Anybody may connect to support web page and talk. Webchat+fastpath is perfect for this, but anonymous access to server must be disabled because of security, but no authorization must be in webchat. In other side anonymous access must be enabled because fastpath requrements.
Ideal solution will be limit anonymous access by IPs list/ranges
-
-
Unfortunately, I can't use firewall. Because, at first, some users have a dynamically assigned IPs (limited by they providers), and, secondary, mobile users. No, firewall limits is not right for me
I need limit only anonymous, not for all.Of course, I can put (and will) openfire server to DMZ, but this is will protect only from hack, but not from spam
I think, I must make feature request for openfire authors
It so strange why openfire architectors forgot about spammers.In any way, thank for all for OpenFire server and for help
I hope, wr00t will check config of his server and will publish setting.
-
-
Im trying out Webchat and Fastpath for the first time, and I agree with Alexander on this issue.
Unless I'm mistaken about the implications of allowing anonymous logins to openfire, I belive this could be a security problem. In our environment we use Openfire as our corporate IM server, and have roaming users connecting via random IP addresses, authenticating with Openfire via LDAP/AD. If we want to implement FastPath, it seems that we need to enable Anonymous logins on Openfire, which I assume means that anyone can open an XMPP connection and send messages to any of our users - a big security hole!
We obviously only want Anonymous connections to come into the Fastpath Queues, and only from our webserver IP address. So, there are a few ways this could be achieved, either only allow Anonymous connections from specified IP addresses (authenticated connections from any address), or have the WebChat client login to Openfire using a pre-defined username and password, which would negate the need for anonymous logins at all.
I would say that this setup is a pretty common scenario, so how have others got around this problem?
Edit: Just found another thread about this, and a comment from Dombiak Gaston:
Hey Joseph,
Are you using the webclient to let users/people make their questions?
If you are not using it then there is no need to allow anonymous users.
However, if you are using it then we would need to implement a new
enhancement so that you can specify the list of valid IP address for
anonymous users. Would that work for you?
I am not Joseph, but Dombiak if you are reading this, yes this would work for me!
Ben
-
Ben, you are right.
If you use FastPath only - there is no any problem. But, if you wanna use webchat plugin module - you got a lot of troubles with security.
A best way for resolve this - limit anonymous connections to some IP hosts/networks. Or workaround - limit WebChat connections to some predefined user. Unfortunately sorce code of WebChat is unavailable, so, we can't chak is a workaround is possible.
I hope, webchat will be open source software
-
-
-
-
-
-
-
-
-
Hey Steve,
I was concerned about anonymous users from the internet using our spark server if i leave anonymous users selected. I know that webchat requires it to run the way it does.... But i am concerned about some kid on the outside seeing what ports i have opened up on my firewall and then connecting to our server and sending garbage to our employees.... I don't care if they try to do it from the web site persay but if they access it directly via the port they are already up to no good anyway... We have 6 remote locations and a handful of traveling people that login to our server so locking it down by IP address is out of the question.
Oh, I see now what you mean and I agree. Currently there is no way to limit IP addresses that anonymous users could use and leave the rest open for not-anonymous users. If someone is willing to contribute that improvement we would gladly include it and also guide in the development of that feature.
>Is an anonymous user anything thats getting exploited yet?
I never heard of that happening before. In fact, I don't know of any XMPP client that supports anonymous users. However, we do support it in our Smack library. That means that technically someone may exploit this vulnerability.
Am I correct to assume that there will be a sparkweb plugin in the future?
Sparkweb plugin for Fastpath? We do not have plans for that but you are not the first one asking for that. May be someone will contribute that work.
P.S. I love the openfire/wildfire/spark project, you guys rock!
Sweet.
Regards,
-- Gato
-
The least that i can do, is to create a ticket in JIRA:
JM-1386 -
spotter wrote:
I was concerned about anonymous users from the internet using our spark server if i leave anonymous users selected. I know that webchat requires it to run the way it does.... But i am concerned about some kid on the outside seeing what ports i have opened up on my firewall and then connecting to our server and sending garbage to our employees.... I don't care if they try to do it from the web site persay but if they access it directly via the port they are already up to no good anyway... We have 6 remote locations and a handful of traveling people that login to our server so locking it down by IP address is out of the question. Is an anonymous user anything thats getting exploited yet?
Right, what are you all worried about? I dare any of you to try and exploit the anonymous user functionality. I bet you can't.
It is not as unsecure as it sounds.-
Rob, if there is no jabber clients with anonymous logins functionality, its does not mean that somebody can't create it
I see no way for hack system using anonymous logins, but I see a lot possibilities for a spammers. So, a best way to protect myself from rats is blocked all ratholes and open ways
In anyway, in few day patch will be published
so I not see any subject of dispute
-
-
-
-
-
-
-
-
This patch was implemented in 3.6.0 http://www.igniterealtime.org/issues/browse/
JM-1389
