System authentication handler
Diffusion™ provides an authentication handler that uses principal, credential, and roles information stored in the Diffusion server to make its authentication decision.
System authentication store
The principal, credentials, and role information located in the system authentication store is used by the system authentication handler to authenticate users.
The system authentication store is designed to hold information about Diffusion administration users and system clients. It can manage hundreds or perhaps thousands of principals, but does not provide the administration tools necessary to support millions of principals. We recommend that you delegate such "internet scale" use cases to a third-party identity provider using a custom authentication handler. For example, by using the OAuth or OpenID protocol.
allow anonymous connections [ "CLIENT" ] add principal "client" "password" [ "CLIENT" ] add principal "control" "password" [ "CLIENT_CONTROL" "TOPIC_CONTROL" "AUTHENTICATION_HANDLER" ] add principal "admin" "password" [ "ADMINISTRATOR" ] add principal "operator" "password" [ "OPERATOR" ]
You can edit the usernames and passwords in this file by hand and restart the Diffusion server to reload the file. However, any password you enter in plaintext is hashed by the Diffusion server when it starts and the plaintext value in this file is replaced with the hashed value.
Do not edit the file manually if you are using clustered servers.
The default hash scheme used is PBKDF-SHA256-1000. You can specify a different hash scheme in the Server.xml configuration file.
Behavior of the system authentication handler
- If anonymous connections are allowed in the system authentication store and a client session connects anonymously, the system authentication handler returns an ALLOW decision and the list of roles an anonymous client session is assigned.
- If anonymous connections are not allowed in the system authentication store and a client session connects anonymously, the system authentication handler returns a DENY decision.
- If a client session connects with a principal listed in the system authentication store and the correct credentials, the system authentication handler returns an ALLOW decision and the list of roles that client session is assigned.
- If a client session connects with a principal listed in the system authentication store and incorrect credentials, the system authentication handler returns a DENY decision.
- If a client session connects with a principal that is not listed in the system authentication store, the system authentication handler returns an ABSTAIN decision.