Inactive [SEC] xAuth v2.0.10 - Extra Authentication [1.2.5-R1.3+]

Discussion in 'Inactive/Unsupported Plugins' started by CypherX, Mar 15, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    xAuth v2.0.10 - (CraftBukkit build: [1.2.5-R1.3+])
    Download v2.0.10

    lycano is taking over the development of xAuth as I no longer have the time nor the will to continue working on it. Please see the BukkitDev page:

    Thanks to everyone who has showed support for me and xAuth over the past 17 months. It's been 'fun'. If for any reason you need to contact me, stop by my IRC channel ( #LoveDespite) or toss me a message at Until we meet again, stay gold. Bang.


    xAuth is a plugin designed with a single task in mind: protect a server and its players while running in offline-mode. The basic idea of this protection is allowing players to register an account based on their player name and a supplied password. When a registered player connects to the server, that player will be prompted to authenticate his or herself by logging in. If and only if a valid password is supplied, they will regain full control of their account until their session expires.

    • Before registering/logging in, players cannot:
      • Chat, execute commands, interact with objects (levers, chests, etc.), move, or pickup items.
      • Break or place blocks
      • Receive or give damage, be targeted (followed) by hostile mobs
    • Inventory and location protection
    • In-depth setting and message configuration
    • Persistent login sessions through server restarts
    • Player name filter and password complexity configuration
    • Kick non-logged in (but registered) players after a configurable amount of time
    • Bukkit Permissions support
    • Kick or temporarily lockout the IP address of a player who fails to log in after a configurable amount of tries
    • Custom, highly secure password hashing
    • H2 and MySQL support
    • Authentication over URL (AuthURL) allows for connection to forum or website databases
    Changelog (click for full changelog)
    • Version 2.0.10
      • [Fixed] Exploit to completely bypass login system.
      • [Fixed] xAuth commands not working with Rcon
      • [Fixed] Exploiting login system to avoid fire & drowning damage.
      • [Fixed] NPE caused by player connecting & disconnecting during same server tick.
      • [Fixed] 'Table "SESSIONS" not found' error when a player uses /logout while session length is set to zero.
      • [Fixed] Exploiting location protection after dieing to return to the spot of death.
    • Version 2.0.9
      • Added several reverse single session configuration options.
      • Fixed registration.forced: false not working.
      • Updated version check and H2 download links.
    xAuth Importer
    xAuth Importer is a tool used to import accounts from previous versions of xAuth as well as other authentication plugins. Click here for more information.
  2. Offline


    OK, I'll try, but will it fix as well memory problem (I've pasted Exception with GC and HeapSize)?
  3. Offline


    whitas - new update available should fix at least the exceptions.
  4. Offline


    OK :) Just downloading. I'll put it on the server and will give you feedback tomorrow.
  5. Offline


    I'm downloading too, wait for my reply :D again
  6. Offline


    Guests can still chat before being authenticated. Tried using permissions groups with negated perms, but the config won't keep the string. PEX is set as my permissions backend. Any help with this issue? It's causing serious impersonation on my server :(
  7. Offline


    I've got this error. Don't know what it is or if it delete his inventory.

    Edit: i use the newest version: .17

    2012-08-14 07:34:59 [INFO] Blakadabra[/] logged in with entity id 1446 at ([Blablabla] 67.34745374491654, 65.0, -150.93735298090706)
    2012-08-14 07:35:11 [INFO] Blakadabra lost connection: disconnect.quitting
    2012-08-14 07:35:11 [INFO] Connection reset
    2012-08-14 07:35:11 [INFO] Player Disconnected Blakadabra.
    2012-08-14 07:35:11 [SEVERE] [xAuth] Could not unprotect Player during fetch Player object from xAuthPlayer.
  8. Offline


    Please do not edit the DBVERSION file. Its used to store update position. If you do edit it and change version the update query (which is really needed) will not be executed. I did fix the bug in latest version so please reapply from version 1 or you will encounter numerous problems in the future.

    Yay, you found it. Well as as said earlier. There is nothing we can do about accessing Player object from onPlayerQuit event so i implemented an exception for the time beeing. Redesigning the whole concept behind inventory storage and restore is not that "easily" done in a few hours and has to be tested. Thus i had to make a decision too.

    Currently the error is fetched and shouldnt crash the server any longer if its spammed.

    But dont blame me. There is an easy workaround available: Do not manually logout then disconnect. Thats the only problem we have. Just exit.

    To be exactly shure that you dont have problems set session timeout to 10 so there is no session resume if you want to force them to login OR set it to 86400 which would be one day or 1209600 to set it to two weeks. I expect that the next RB will come soon.

    Sry it was too late yesturday. Didnt though about the new PlayerChatEvent. Will fix it as soon i got home.

    Hi guys just to inform you. I just found numerous posts about PlayerQuitEvent ( BUKKIT-2193 , BUKKIT-1907 ) Seems that the order of fired events is screwed.

    Seems that playerKick event would do the trick in 1.3.1RB1.0 I can implement that when you logout you got kicked from the server. That would save the inventory cause when the player is disconnected and data restored i can logout them safely.

    That way you would have to tell the users "use /quit" to disconnect for example.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: Jul 17, 2016
  9. Offline


    Yes, now I don't see any more errors in this plugin. No wipe, no crashing or long errors.
    I want to thank's to you. You're REALLY fast in compiling new versions and repairing holes :)
    CG to lycano (minimaly from me :) )

    Edit: And sorry for my (maybe) bad english, I'am Czech :)
  10. Offline


    DJTommek thanks for your feedback =)

    As long as we understand each other i dont see any problems ^^ Btw im German.
  11. Offline


    lycano v. 2.0.17 works very well for me :)
    but sometimes i've this error:
    [SEVERE] [xAuth] Could not unprotect Player during fetch Player object from xAuthPlayer.
  12. Offline


    First of all: Thank you for taking over development!

    Would this mean that everytime one would leave a server using xAuth, s/he would have to use "/quit"?
    Because if that would not be automated in some way, I would start searching for other ways.

    Now I come to think about it, why would xAuth mess with the inventory?
    What's wrong with just letting them keep their inventory but not allowing them to do anything with it?
    It's not like there are many embarrassing items in Minecraft of which you do not want any one else to know that you own it ;)

    It would also be great if that would solve a MAJOR exploit on my server, caused by xAuth;
    When players log out while being in a creative world, they, when they log in again, they have their inventory from the survival world in the creative world, and when they go back to the survival world, they get their inventory from the creative world (I use MultiInv).
  13. Offline


    lycano my players loose their inventory, why ? you can fix this bug ?
  14. Offline


    the problem with table player_data has been solved, but steel remains an error with other table:
    2012-08-14 14:01:10 [INFO] [xAuth] Enabling xAuth v2.0.17
    2012-08-14 14:01:10 [INFO] [xAuth] PermissionAlias backend: 'pex' registered!
    2012-08-14 14:01:10 [INFO] [xAuth] PermissionAlias backend: 'gm' registered!
    2012-08-14 14:01:10 [INFO] [xAuth] PermissionAlias backend: 'bukkit' registered!
    2012-08-14 14:01:10 [INFO] [xAuth] Attempting to use supported permissions plugin 'GroupManager'
    2012-08-14 14:01:10 [INFO] [xAuth] Attempting to use supported permissions plugin 'PermissionsEx'
    2012-08-14 14:01:10 [INFO] [xAuth] Attempting to use supported permissions plugin 'Bukkit'
    2012-08-14 14:01:10 [INFO] [xAuth] Initializing bukkit backend
    2012-08-14 14:01:10 [INFO] [xAuth] Attached to Bukkit
    2012-08-14 14:01:10 [INFO] [xAuth] Successfully established connection to MySQL database
    2012-08-14 14:01:10 [INFO] [xAuth] Table created: xauth_accounts
    2012-08-14 14:01:11 [INFO] [xAuth] Table created: xauth_playerdata
    2012-08-14 14:01:11 [INFO] [xAuth] Table [xauth_playerdata] updated to revision [003]
    2012-08-14 14:01:11 [INFO] [xAuth] Table created: xauth_sessions
    2012-08-14 14:01:11 [INFO] [xAuth] Table created: xauth_lockouts
    2012-08-14 14:01:11 [INFO] [xAuth] Table [xauth_lockouts] updated to revision [001]
    2012-08-14 14:01:11 [SEVERE] [xAuth] Failed to load teleport locations!
    com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Table 'minecraft.xauth_locations' doesn't exist
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
        at java.lang.reflect.Constructor.newInstance(Unknown Source)
        at com.mysql.jdbc.Util.handleNewInstance(
        at com.mysql.jdbc.Util.getInstance(
        at com.mysql.jdbc.SQLError.createSQLException(
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(
        at com.mysql.jdbc.MysqlIO.sendCommand(
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(
        at com.mysql.jdbc.ConnectionImpl.execSQL(
        at com.mysql.jdbc.PreparedStatement.executeInternal(
        at com.mysql.jdbc.PreparedStatement.executeQuery(
        at com.cypherx.xauth.LocationManager.loadLocations(
        at com.cypherx.xauth.LocationManager.<init>(
        at com.cypherx.xauth.xAuth.onEnable(
        at org.bukkit.plugin.SimplePluginManager.enablePlugin(
        at org.bukkit.craftbukkit.CraftServer.loadPlugin(
        at org.bukkit.craftbukkit.CraftServer.enablePlugins(
        at net.minecraft.server.MinecraftServer.i(
        at net.minecraft.server.MinecraftServer.d(
        at net.minecraft.server.MinecraftServer.a(
        at net.minecraft.server.DedicatedServer.init(
    2012-08-14 14:01:11 [INFO] [xAuth] v2.0.17 Enabled!
    seems the plugin doesn't create the "location" table in mysql.
  15. Offline


    thank you for your update!!
    i have a question
    how to disable illegal name to kick?
    name: 'Your name contains one or more illegal characters.
    my server allowed to illegal nicknames.. help me! many users can't connecting my server
  16. Offline


    Leemur delete DBVERSION file. That would reset the updater thus thinking "you start from scratch". Make shure all tables dropped.

    Because of a bukkit bug in 1.3.1R1.0 please read backposts. Everything is explained there.

    This would be only a temporary advice as the bukkit bug is there in this release and the alternative would be wait for the next RB. Whats better? Type /quit and get kicked or loose inventory?

    Ok, ill explain. There is online mode server and offline mode server.

    Show Spoiler

    In Offline your name can be everything thus you can login with any playerName you like and get their inventory because authing is name-based. Thats why you need in-game authing.

    Offline mode was designed to test stuff. Not for productional usage. But anyways i dont want to get into that too much.

    Show Spoiler

    In online mode you cant change your name cause you authenticate via web with mojang not with the server alone. If in online mode your name and password will be checked. If it doesnt match => no login.

    Why Inventory reset?
    Show Spoiler

    As you can impersonate other players by username you cant be shure that the client is controlled by the real user of that player. The server doesnt know that you are not ThePlayer it simply see "Oh someone connected with ThePlayer, here you have the object, deal".

    Now authing comes in place. We have to "fake" an empty player to make it look like you would connect as someone else. E.g. as guest.

    So what do we do?
    Show Spoiler

    Client connect with ThePlayer -> ThePlayer on server will be stored to DB -> ThePlayer will be teleported to spawn to prevent any damage -> ThePlayer will be cleaned (incl. Inventory) -> send authing message to player. -> Auth ok? then restore player object and teleport to last known location -> Auth not ok? Deny login.

    Now the problem with 1.3.1R1.0 (PlayerQuitEvent does kill player object during execution)
    If you disconnect the event will be fired "PlayerQuitEvent" but the player object is not there meaning we cant restore the original state of that player cause we do not have access to servers playerdata.

    Thus the server will save the ThePlayers.dat file AFTER the PlayerQuitEvent is finished it stores the empty inventory.

    This can happen any time you do not login and simply quit. Meaning when in offline mode (with 1.3.1R1.0) anyone can clear the inventory if he likes.

    Inventory loss happens when
    Show Spoiler

    - You connect and disconnect without authing
    - You connect, auth then logout and disconnect
    - (when in offline mode) Your session is timed out anyone can login as you and disconnect. Inventory lost.

    Additional Notes
    Show Spoiler

    The real problem behind all that is "If it would be possible to catch the event when the user did hit the inventory key" then i could present an empty inventory for that time. But thats not how it is currently.

    Show Spoiler

    - Set your session.timeout to a high number (3600 is one hour, i recommend 14 days or one month til its fixed) this would prevent someone else to login cause its unlikely that someone else can get the same IP.
    - Do not /logout when quitting
    - Use /quit in next release which will save the inventory and kicks you from server (hopeing that the playerobject is available in that event)

    Workaround offline-mode
    Workaround.1) and Workaround.3) i would strongly recommend until the next RB comes out when in offline mode.

    Workaround online-mode
    If you are in online mode simply disconnect and never /logout till next RB

    This is my last statement to this matter and should be detailed enough to answer any questions regarding "why". Anything else will be done on dev.bukkit soon.

    Regards, lycano

    zergilng copy section filter to your config.yml or just replace the whole file with that from github.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: Jul 17, 2016
  17. Offline


    What i have to write into Server section in importer.ini? I mean where is position of my MySQL database. That must be IP of working server with plugin xAuth or what? <--- xAuth Importer
  18. Offline


    lycano, i did that with deleted DBVERSION file. Had tried one more time - same error.
  19. Offline


    This is a very good idea.
  20. Offline


    Bud: still tons of error log. Just to advise you :)

    Please please please: can you put the download link on the top post? I always take 10m to search the link in the posts! :( thanks ;)

    p.s. i agree with the inv remove. It mess with a lot of plugins (creativecontrol and other minor plugins)
  21. Offline


    Um.. I can't find download link. :|
  22. Offline


  23. Offline


    .. or see server.log when typing /xauth version :)

    Leemur dont delete the file while the server is running it will be recreated. Stop server, delete DBVERSION, start server -> wait til its loaded -> done

    portapipe post as pastebin and link it to me
  24. Offline



    14.08 12:41:02 [Server] SEVERE [xAuth] Could not unprotect Player during fetch Player object from xAuthPlayer.

    what is that, and.
    this console error:

    2012-08-14 12:21:58 [WARNING] XxVictorMFxX moved too quickly! 0.0,31.360030517505948,0.0 (0.0, 31.360030517505948, 0.0)
    Caused by xauth?
  25. Offline


    From where can I downlaod this newest xauth lycano, could you drop download link?
  26. Offline


    For GODS SAKE! 3 damn posts before! Read damn posts.... oh it pisses me off so much.
  27. Offline


    xDrapor cant verify your chat problem.

    Krazy cant reproduce and its hard to tell what other plugins may interfere.
  28. Offline


    Which one should I download 17 or head?, I don't understand.
  29. Offline


    Just want to share with you with strange observation I have know (with RB 1.3.1 & xAuth (?)) but not before.

    I can connect to our server using two IP's (one public, second one private using VPN tunnel). It happend to me only twice, but it was weird - when I connect using one IP, logged into the server and was redirected to last location I was at (as usuall)... But when I've used the other IP logged etc.. I was redirected to location when I was two days ago... When I reconected using this first IP I was in the first locacion againg. And ofcource, I was using the same player name ;)

    It's strange, it was like some saved objects as location etc. are saved per user_and_IP basis not only userName.

    Just such stange minecraft thing :)
  30. Offline


    Ibas either latest version or HEAD ;)

    whitas well i have an easy explanation for you. You have old playerdata in your database. OnPlayerQuit the Inventoy and location is restored then deleted from database. Thus this is not working with 2.0.17 cause of a bukkit but those data still exists. Which will explain, why you login with different locations set.

    Anyways new update available. I strongly recommencd using v2.0.18 and using /quit to safely disconnect from now on to save your inventory and stuff.

    I've moved all needed functions to KickEvent which is the only way of having a save disconnect now. This remains til next RB as this should be fixed then.

    Regards, lycano
  31. Offline


    Which one is better?
Thread Status:
Not open for further replies.

Share This Page