This is an automated email from the ASF dual-hosted git repository. quantranhong1999 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 605a2f6e69ddb1440fb4580fc822702eaddc554a Author: Felix Auringer <[email protected]> AuthorDate: Mon May 18 15:52:05 2026 +0200 refactor(imap): better names and comments for authentication processors --- .../imap/processor/AbstractAuthProcessor.java | 4 ++-- .../imap/processor/AuthenticateProcessor.java | 25 ++++++++++++---------- .../james/imap/processor/LoginProcessor.java | 7 ++++-- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/protocols/imap/src/main/java/org/apache/james/imap/processor/AbstractAuthProcessor.java b/protocols/imap/src/main/java/org/apache/james/imap/processor/AbstractAuthProcessor.java index abbeadb195..4bd2cbb633 100644 --- a/protocols/imap/src/main/java/org/apache/james/imap/processor/AbstractAuthProcessor.java +++ b/protocols/imap/src/main/java/org/apache/james/imap/processor/AbstractAuthProcessor.java @@ -77,7 +77,7 @@ public abstract class AbstractAuthProcessor<R extends ImapRequest> extends Abstr this.imapConfiguration = imapConfiguration; } - protected void doAuth(AuthenticationAttempt authenticationAttempt, ImapSession session, ImapRequest request, Responder responder, HumanReadableText failed) { + protected void doPasswordAuth(AuthenticationAttempt authenticationAttempt, ImapSession session, ImapRequest request, Responder responder, HumanReadableText failed) { Preconditions.checkArgument(!authenticationAttempt.isDelegation()); try { boolean authFailure = false; @@ -118,7 +118,7 @@ public abstract class AbstractAuthProcessor<R extends ImapRequest> extends Abstr } } - protected void doAuthWithDelegation(AuthenticationAttempt authenticationAttempt, ImapSession session, ImapRequest request, Responder responder) { + protected void doPasswordAuthWithDelegation(AuthenticationAttempt authenticationAttempt, ImapSession session, ImapRequest request, Responder responder) { Preconditions.checkArgument(authenticationAttempt.isDelegation()); Username givenUser = authenticationAttempt.getAuthenticationId(); if (givenUser == null) { diff --git a/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java b/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java index 9ca4adaa99..1f66be3daa 100644 --- a/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java +++ b/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java @@ -55,7 +55,7 @@ import com.google.common.collect.ImmutableList; import reactor.core.publisher.Mono; /** - * Processor which handles the AUTHENTICATE command. Only authtype of PLAIN is supported ATM. + * Processor which handles the AUTHENTICATE command. Supported authentication mechanisms are PLAIN, XOAUTH2, and OAUTHBEARER. */ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateRequest> implements CapabilityImplementingProcessor { public static final String AUTH_PLAIN = "AUTH=PLAIN"; @@ -85,18 +85,18 @@ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateReq if (authType.equalsIgnoreCase(AUTH_TYPE_PLAIN)) { // See if AUTH=PLAIN is allowed. See IMAP-304 if (session.isPlainAuthDisallowed()) { - LOGGER.warn("Login attempt over clear channel rejected"); + LOGGER.warn("Plain authentication rejected because it is disabled or not allowed over insecure channel"); no(request, responder, HumanReadableText.DISABLED_LOGIN); } else { if (request instanceof IRAuthenticateRequest) { IRAuthenticateRequest irRequest = (IRAuthenticateRequest) request; - doPlainAuth(irRequest.getInitialClientResponse(), session, request, responder); + parseAndDoPlainAuth(irRequest.getInitialClientResponse(), session, request, responder); } else { session.executeSafely(() -> { responder.respond(new AuthenticateResponse()); responder.flush(); session.pushLineHandler((requestSession, data) -> Mono.fromRunnable(() -> { - doPlainAuth(extractInitialClientResponse(data), requestSession, request, responder); + parseAndDoPlainAuth(extractInitialClientResponse(data), requestSession, request, responder); // remove the handler now requestSession.popLineHandler(); responder.flush(); @@ -111,13 +111,13 @@ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateReq } else { if (request instanceof IRAuthenticateRequest) { IRAuthenticateRequest irRequest = (IRAuthenticateRequest) request; - doOAuth(irRequest.getInitialClientResponse(), session, request, responder); + parseAndDoOAuth(irRequest.getInitialClientResponse(), session, request, responder); } else { session.executeSafely(() -> { responder.respond(new AuthenticateResponse()); responder.flush(); session.pushLineHandler((requestSession, data) -> Mono.fromRunnable(() -> { - doOAuth(extractInitialClientResponse(data), requestSession, request, responder); + parseAndDoOAuth(extractInitialClientResponse(data), requestSession, request, responder); requestSession.popLineHandler(); responder.flush(); }).subscribeOn(ReactorUtils.BLOCKING_CALL_WRAPPER).then()); @@ -131,14 +131,14 @@ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateReq } /** - * Parse the initialClientResponse and do a PLAIN AUTH with it + * Parse the initial client response and start plain authentication. */ - protected void doPlainAuth(String initialClientResponse, ImapSession session, ImapRequest request, Responder responder) { + protected void parseAndDoPlainAuth(String initialClientResponse, ImapSession session, ImapRequest request, Responder responder) { AuthenticationAttempt authenticationAttempt = parseDelegationAttempt(initialClientResponse); if (authenticationAttempt.isDelegation()) { - doAuthWithDelegation(authenticationAttempt, session, request, responder); + doPasswordAuthWithDelegation(authenticationAttempt, session, request, responder); } else { - doAuth(authenticationAttempt, session, request, responder, HumanReadableText.AUTHENTICATION_FAILED); + doPasswordAuth(authenticationAttempt, session, request, responder, HumanReadableText.AUTHENTICATION_FAILED); } session.stopDetectingCommandInjection(); } @@ -201,7 +201,10 @@ public class AuthenticateProcessor extends AbstractAuthProcessor<AuthenticateReq .addToContext("authType", request.getAuthType()); } - protected void doOAuth(String initialResponse, ImapSession session, ImapRequest request, Responder responder) { + /** + * Parse the initial client response and start oauth authentication. + */ + protected void parseAndDoOAuth(String initialResponse, ImapSession session, ImapRequest request, Responder responder) { OIDCSASLParser.parse(initialResponse) .flatMap(oidcInitialResponseValue -> session.oidcSaslConfiguration().map(configure -> Pair.of(oidcInitialResponseValue, configure))) .ifPresentOrElse(pair -> doOAuth(pair.getLeft(), pair.getRight(), session, request, responder), diff --git a/protocols/imap/src/main/java/org/apache/james/imap/processor/LoginProcessor.java b/protocols/imap/src/main/java/org/apache/james/imap/processor/LoginProcessor.java index b4d20915f9..989a487965 100644 --- a/protocols/imap/src/main/java/org/apache/james/imap/processor/LoginProcessor.java +++ b/protocols/imap/src/main/java/org/apache/james/imap/processor/LoginProcessor.java @@ -50,14 +50,17 @@ public class LoginProcessor extends AbstractAuthProcessor<LoginRequest> implemen super(LoginRequest.class, mailboxManager, factory, metricFactory, pathConverterFactory); } + /** + * Start password authentication if enabled. + */ @Override protected void processRequest(LoginRequest request, ImapSession session, Responder responder) { // check if the login is allowed with LOGIN command. See IMAP-304 if (session.isPlainAuthDisallowed()) { - LOGGER.warn("Login attempt over clear channel rejected"); + LOGGER.warn("Login rejected because it is disabled or not allowed over insecure channel"); no(request, responder, HumanReadableText.DISABLED_LOGIN); } else { - doAuth(noDelegation(request.getUserid(), request.getPassword()), + doPasswordAuth(noDelegation(request.getUserid(), request.getPassword()), session, request, responder, HumanReadableText.INVALID_LOGIN); } } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
