I don't have access to my working code right now nor I have tested this, but
you should basically do something like this:
public FtpletResult beforeCommand(FtpSession session, FtpRequest request)
throws FtpException, IOException {
String cmd = request.getCommand().toUpperCase();
if ("USER".equals(cmd)) {
if (!session.isSecure()) {
session.write(new DefaultFtpReply(500, "Control channel is
not secure. Please, issue AUTH command first."));
return FtpletResult.SKIP;
}
}
}
If your client ignored the "5xx" error and still issued the PASS command
(in plaintext), you should return in this method FtpletResult.DISCONNECT
so they don' t get a chance to 'leak' the password.
2011/10/1 Niklas Gustavsson <[email protected]>
> On Fri, Sep 30, 2011 at 1:51 PM, Kaloyan Enimanev <[email protected]>
> wrote:
> > My question is: Can we protected the passwords of our users with
> > Explicit FTPS ? Perhaps by closing the connection if the first
> > command coming from the client is *not* AUTH ? Do you know of
> > any better options to avoid plain-text passwords from being sent ?
> >
> > If there is no existing solution, what needs to be done to implement one
> ?
>
> FtpServer does not support this out of the box, but I know people has
> implemented the same thing using Ftplets. Perhaps someone is around
> here which can help you out with some existing code.
>
> /niklas
>