Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page:

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel ( #LoveDespite) or toss me a message at Until we meet again, stay gold. Bang.


    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
  2. Offline


    From what I understand it sounds like this would work best as a separate plugin. The plugin would basically do what piousminion described in his post but in purely plugin form. The whitelist would be a part of the configuration so no other changes would be necessary. This seems like a pretty interested concept and I might give it a try when I have time.

    Looks like there's a blank username/password in auths.txt.

    The problem was that most people who use Permissions give the admin group '*' which signals that that group has access to ALL possible nodes, including xauth.exclude resulting in that group not being forced to register. I grew tired of everyone complaining about how they weren't being forced to register so I replaced it with a smarter method.

    You can already set where a player is teleported to by using /xauth location set.

    Then you just give the "unforced" group the node: "-xauth.register" which will remove that permission from the group.

    A global password like Paah said could definitely be a possibility. I'll give it a bit more thought and implement something reasonable. I will NEVER store or give the option to store passwords in plain text. Besides, it's not like the current hashes could be reversed.

    Yep, just rename the AuthMe auths.db file (flatfile datasource only) to auths.txt and place it in the xAuth plugins folder. xAuth 2 supports automatic conversion from the old format to the new format.

    Will be fixed in Beta 4.

    There's a bug in beta 3 involving inventory loss if the MySQL server connection times out. I'll recreate your example and see if I experience the same problem.

    1. I'll see what I can do about something like /xauth list. Some servers have a few thousand registered players so displaying them all at once wouldn't work.

    2. I experimented with customizable restrictions before the initial beta release but didn't like how it worked (read: got lazy). I'll probably play around with it again eventually.

    Beta 4 will re-introduced the protect-location configuration node.

    That's due to the player constantly being teleported to that spot in the air. I'll probably make it "smarter" by detecting if the teleport location is in the air and if so move it down one block until a non-air block is found.

    @sfxworks - Looks like the MySQL server connection timed out. This is fixed in Beta 4.

    Looks like an error is being thrown when the SQL connection is being closed. What other plugins are you using that use H2 (if any)?
  3. Offline


    yea someone told me about the subtract thing yesterday in other topic that was awesome and i've already done that yesterday :D

    aw really i didn't know about the teleport :/ i guess i should read more about xauth

    thanks for your help :D
    keep going waiting for beta4 ^_^
  4. Offline


  5. Offline


    Could I get a pre-release of beta4? Trying to get the server up before I go away for a week (in like 2 days too ;/)
  6. Offline


    I'll put up a Beta 3.5 later tonight that fixes the MySQL timeout problem and a few other things.
  7. Offline


    I'm not sure why these questions were so puzzling, but for the sake of helping you understand my post I'll gladly explain the senarios. This is getting off topic, but if you can't understand my on topic comments, I think explaining them will help the relevant comments make more sense.

    Q: "How in the first place did a person like that get admin rights?"

    A: The answer is that any person can abuse power or misunderstand the rules; even an admin. It's not always a poor admin that spawns diamond block houses, but a poorly informed admin. We had some server ownership changes and lost our main world, so the temporary stand in world that took its place was unimportant, as it would be erased when the former server host gave our files back, so the admin thought his actions would have no consequences. It's a simple mistake, and I don't fault him for it. Every admin makes mistakes, because every human makes mistakes.

    Q: "And why didn't big brother have enough logs?"

    A: Again, we had a change of server ownership, a change of host, and change of all server hardware, and a change of half the admins, all in the same day. That's what it takes to adjust when the first admin, who is also the host, who is also the hardware owner has a motherboard failure and decides to throw in the towel. The new hardware was severely restricted in RAM, low on harddrive space, and had a tenth the bandwidth, so every plugin that used a database or file backups had to be temporarily scaled back while the server members chipped in cash to buy new server hardware and rebuild. The economy issue with diamond blocks happened during this hectic time frame when the average admin was most concerned with keeping the server up and running on a quarter of the ram and only a few free mb of harddrive spaces. Big Brother's logs being a few days old are good enough to catch major griefs most of the time, so they were set to something like 48 hours of logs that week. We were all too busy to spot the diamond house, and most of us weren't patroling the "temporary" stand in world because we knew it would be deleted as soon as the old server admin gave us our world save file back. It's hard to consider all of the possibilities.

    Q: "Also I wonder how you would find their hidden house as a normal player, if you can't find it as an admin"

    A: I actually kind of like this question, because it's not an obvious one and doesn't lead to oceans of verbose story telling, like the last one (that probably belong in a PM and I"ll move it if asked). We have users that build caches of illegal items and don't visit them very often, so an admin might never TP to them or be near them when they visit. They'll just get caught selling 128 diamond blocks or 256 gold pickaxes to another users, later in the week. openinv plugin has let me search for items across all inventories, so that helped solve the diamond block issue of the last question, but you never know if you have seen all of their bases, and you might want to follow a tip from a few other users that they have some hidden stuff they shouldn't have. The guy I'm thinking of when I make this example would log out in his secret base once in a while. I know BB lets you see a user's history, so I could probably use that or another plugin to discover everywhere a user has been, but sometimes seeing an ocean of coordinates spam down my screen isn't the most convenient way to get things done, to me.
  8. Offline


  9. Offline


    Version 2.0 Beta 3.5 is live!
    • Fixed a bunch of issues with disabling forced registration
    • Database connection will be re-established if the previous connection is closed
    • Location protection can now be turned on/off
    • Added version command (/xauth version)
    • Fixed the bug reported in this post
    Also, I will only be providing downloads in the Zip format from now on.
  10. Offline


    xauth crash, not the first time.

    xauth 2betab3, win 7 64bits, mysql 5.5

    i dint read the last pages, it look like thise error is fixed now.
  11. Offline


    Thank You! Keep up the good work!
  12. Offline


    @CypherX I also use iConomy and BigBrother wih H2
  13. Offline


    Thx for bugfix for my bug ;).
  14. Offline


    yes, thanks! Works great. My connection to the database was interrupted. xAuth simply reconnected, BigBrother crashed and produced 1.4GB logfiles with MySQL-Errors.
  15. Offline



    Please add an option to disable LOCATION SAVING. There's a NASTY bug that ppl are using on my server to enter houses they don't own.

    The only way to solve this issue is disabling location saving (i.e: everybody will spawn on a unique SPAWN location)

    BTW: Can I convert from H2 to Mysql ? (have over 2k accounts) ?

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 12, 2016
    paprzyk likes this.
  16. Offline


    xAuth disabled, could not connect to database. WTF
  17. Offline


    I get this with Beta3.5

    2011-07-10 15:46:56 [INFO] [xAuth] 'Permission' support enabled
    2011-07-10 15:46:56 [INFO] [xAuth] 'Help' support enabled
    2011-07-10 15:46:56 [SEVERE] [xAuth] Could not connect to H2 database!
    java.sql.SQLException: invalid database address: jdbc:h2:plugins\xAuth\xAuth;IGNORECASE=TRUE
        at org.sqlite.JDBC.createConnection(
        at org.sqlite.JDBC.connect(
        at java.sql.DriverManager.getConnection(Unknown Source)
        at java.sql.DriverManager.getConnection(Unknown Source)
        at com.cypherx.xauth.datamanager.DataManager.connectH2(
        at com.cypherx.xauth.datamanager.DataManager.connect(
        at com.cypherx.xauth.datamanager.DataManager.<init>(
        at com.cypherx.xauth.xAuth.onEnable(
        at org.bukkit.plugin.SimplePluginManager.enablePlugin(
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(
        at net.minecraft.server.MinecraftServer.e(
        at net.minecraft.server.MinecraftServer.a(
        at net.minecraft.server.MinecraftServer.init(
    2011-07-10 15:46:56 [SEVERE] [xAuth] Disabling - No connection to database
    2011-07-10 15:46:56 [INFO] [xAuth] v2.0b3.5 Disabled!
  18. Offline


    Yeah, me to exept those error messages. No connection to database is the problem
  19. Offline


    If I have uppercase complexity enabled I get "Your password must be at least 6 characters long!" message even if length correct. Please, add messages for uppercase, number and other complexities.
  20. Offline


    13:14:04 [SEVERE] Error occurred while disabling xAuth v2.0b3.5 (Is it up to dat
    e?): loader constraint violation: loader (instance of org/bukkit/plugin/java/Plu
    ginClassLoader) previously initiated loading for a different type with name "org
    java.lang.LinkageError: loader constraint violation: loader (instance of org/buk
    kit/plugin/java/PluginClassLoader) previously initiated loading for a different
    type with name "org/h2/store/DataHandler"
            at java.lang.ClassLoader.defineClass1(Native Method)
            at java.lang.ClassLoader.defineClassCond(Unknown Source)
            at java.lang.ClassLoader.defineClass(Unknown Source)
            at Source)
            at Source)
            at$000(Unknown Source)
            at$ Source)
            at Method)
            at Source)
            at java.lang.ClassLoader.loadClass(Unknown Source)
            at java.lang.ClassLoader.loadClass(Unknown Source)
            at org.h2.engine.Database.close(
            at org.h2.engine.Database.removeSession(
            at org.h2.engine.Session.close(
            at org.h2.jdbc.JdbcConnection.close(
            at com.cypherx.xauth.datamanager.DataManager.close(
            at com.cypherx.xauth.xAuth.onDisable(
            at org.bukkit.plugin.SimplePluginManager.disablePlugin(SimplePluginManag
            at org.bukkit.plugin.SimplePluginManager.disablePlugins(SimplePluginMana
            at org.bukkit.craftbukkit.CraftServer.disablePlugins(
            at net.minecraft.server.MinecraftServer.stop(
    I have this issue when installing iConomy 5.0 on my server. Is it my server f#'d up or your plugin?
    I think iConomy and xAuth use H2 Database Engine. Do they use the same db? Maybe problem here.
    I'm not a developer,i think the answer is easy and i'm a big noob admin :p
    Otherwise, great plugin.
  21. Offline


    Really need an answer how to fix this.
  22. Offline


  23. Offline



    Please give some attention to this issue, cuz this is VERY serious and CAN ruin many servers running xAuth.
  24. Offline


    I have a question. When you put a value registration.validate-email to true, is it possible to register one email multiple accounts?
  25. Offline


    There's no need to bump or quote posts. I read every post and will reply when I have a chance.

    No idea what's causing it but I am looking for a solution.

    I'm not quite sure what you mean by location saving and how it's being abused. Please give a better explanation and include steps to replicate it.

    Yep, you have to export the data from the H2 database as a .sql file then import it into the MySQL database. iConomy includes a great guide on how to do this, just click here.

    Username: sa
    (Yes, the password is blank)

    Did this just start occurring when you upgraded to Beta 3.5? If yes, verify that the \plugins\xAuth\ directory exists and that it contains a file named xAuth.h2.db.

    The default messages are based off of the default values of the settings. The point of message customization is the ability to change them to meet the requirements of a server. In short; edit the message to meet your servers password complexity requirement.

    The validate-email setting just tells xAuth whether or not to verify that an entered email address is indeed an email address.
  26. Offline



    The bug people are using works like this:

    1) The intruder make an underground tunel just bellow the victim's house.
    2) He tries (really fast) to make a 1x1 tower with dirt till the point he reachs the ground of the victim's house
    3) The intruder re-log
    4) xAuth send the user back to the previous location
    5) The intruder will appear INSIDE victim's house.

    Solution ? stop xAuth from teleporting ppl to the location they were when logged off
  27. Offline


    The intruder appears inside the house because they are automatically moved up until there is enough breathing room (2 vertical air blocks). This is something that Minecraft itself does, not xAuth. Someone doing this would also need an accomplice or another account to fill the space where they logged off so they are forced up into the house.
  28. Offline


    You're right that this is a Minecraft problem. But ppl are using xAuth to explore it. Please make possible to disable teleport on login as an option.
  29. Offline


    That is completely untrue. In fact, it has nothing to even do with xAuth. I'm also pretty sure most players would be more than upset that their location is reset each time they leave the server.
  30. Offline


    Well.. I've just tried with 'MultiHome' /home command and the exploit didn't work.
    Also, I'm asking for an OPTION to let server admins disable it or not.
  31. Offline


    The breathing room check is only triggered when a player joins the server, not when they are teleported. I've already recreated this on a vanilla server.

    1. Dig a short tunnel two blocks high into the side of a hill.
    2. Stand at the end of this tunnel and disconnect.
    3. Log in with a different name and place a block on ground level where your other player is standing.
    4. Log in with the first player and you will magically be moved up until there is enough breathing room.
Thread Status:
Not open for further replies.

Share This Page