We used cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. What For?

« Back to Blogs

Openfire Custom Authentication with Liferay

Openfire (previously known as Wildfire) is a powerful instant messaging (IM) and chat server that implements the XMPP(also called Jabber) protocol.

If you are having any existing authentication system or environment already setup, you can use your authentication system by implementing custom authenticator in Openfire.

We had a situation where Liferay was already setup with users and then requirement of Openfire comes into the picture. Instead of authenticating users from Openfire database, we implemented Custom authenticator in Openfire that authenticated users against Liferay.

See following image for reference.

  1. Custom authenticator makes HTTP request to Liferay with Authentication params.

  2. Liferay authenticates user and sends response to Openfire based on which Openfire determines user is authenticated or not.

Here, I am going to show you how we can implement custom authentication for Openfire. I am assuming that Openfire server is already set up and ready to use.

Openfire provides an interface AuthProvider.java (org.jivesoftware.openfire.auth) for authetication. If you wish to use your custom authentication for Openfire users, your class must implement this interface and register the implementation with Openfire.

Following are the steps for implementation :

1. You need to provide authentication class in Openfire properties.

Go to Openfire Admin Panel --> Server Manager --> System Properties.

Modify following :

provider.auth.className = org.jivesoftware.openfire.auth.HybridAuthProvider

The hybrid auth provider allows up to three AuthProvider implementations to be tied together to do chained authentication checking. The overview of algorithm is as follows:


  • Attempt authentication using the Primary provider.
  • If that fails:
    • If the Secondary provider is defined, attempt authentication (otherwise return).
  • If that fails:
    • If the Tertiary provider is defined, attempt authentication.

The primary, secondary, and tertiary providers are configured by setting system properties.

The full list of properties:

  • hybridAuthProvider.primaryProvider.className (required)

    • The class name of the auth provider.

  • hybridAuthProvider.primaryProvider.overrideList

    • A comma-delimited list of usernames for which authentication will only be tried with Primary provider.

  • hybridAuthProvider.secondaryProvider.className

    • The class name of the auth provider.

  • hybridAuthProvider.secondaryProvider.overrideList

    • A comma-delimited list of usernames for which authentication will only be tried with Secondary provider.

  • hybridAuthProvider.tertiaryProvider.className

    • The class name of the auth provider.

  • hybridAuthProvider.tertiaryProvider.overrideList

    • A comma-delimited list of usernames for which authentication will only be tried with Tertiary provider.

The primary provider is required, but all other properties are optional.

Each of the chained providers can have a list of override users. If a user is in an override list, authentication will only be attempted with the associated provider  (bypassing the chaining logic).

2. Enable logging for the custom authenticator class. Open lib --> log4j.xml :

Add following lines in log4j.xml file:

<appender name="info-out" class="com.st.openfire.auth.CustomAuthProvider">   

       <param name="File" value="${openfireHome}/logs/info.log" />   



3. Package custom authentication class in a jar file

Put this jar in openfire --> lib folder so that Openfire can find your custom authentication class.

4. Restart Openfire to finish configuration.


Please take a look at attached java file CustomAuthProvider.java for reference.





contact-us Request a callback WhatsApp