Implement the Authenticator interface to create a local authentication handler.

1. Create a Java class that implements Authenticator.

   private static class ExampleControlAuthenticationHandler
   extends Stream.Default
   implements ControlAuthenticator {
   
   	private static final Map<String, byte[]> PASSWORDS = new HashMap<>();
   	static {
   		PASSWORDS.put("manager", "password".getBytes(Charset.forName("UTF-8")));
   		PASSWORDS.put("guest", "asecret".getBytes(Charset.forName("UTF-8")));
   		PASSWORDS.put("brian", "boru".getBytes(Charset.forName("UTF-8")));
   		PASSWORDS.put("another", "apassword".getBytes(Charset.forName("UTF-8")));
   		}
   		
   		@Override
   		public void authenticate(
   		String principal,
   		Credentials credentials,
   		Map<String, String> sessionProperties,
   		Map<String, String> proposedProperties,
   		Callback callback) {
   					
   			final byte[] passwordBytes = PASSWORDS.get(principal);
   		
   			// If the principal is in the table and has provided a valid password
   			// then further processing of the properties may be applied
   			if (passwordBytes != null &&
   			credentials.getType() == Credentials.Type.PLAIN_PASSWORD &&
   			Arrays.equals(credentials.toBytes(), passwordBytes)) {
   		
   				// The manager principal is allowed all proposed properties
   				if ("manager".equals(principal)) {
   				// manager allows all proposed properties
   				callback.allow(proposedProperties);
   				} 
   		// The principal brian is allowed all proposed properties and also
   		// gets the 'super' role added
   			else if ("brian".equals(principal)) {
   				final Map<String, String> result =
   				new HashMap<>(proposedProperties);
   				final Set<String> roles =
   				Diffusion.stringToRoles(
   				sessionProperties.get(Session.ROLES));
   				roles.add("super");
   				result.put(Session.ROLES, Diffusion.rolesToString(roles));
   				callback.allow(result);
   				}
   		// All other valid principals are allowed but with no proposed
   		// properties assigned to the session
   			else {
   			callback.allow();
   			}
   		}
   		// If the principal is not in the table it is denied access
   			else {
   			callback.deny();
   			}
   	}
   }

   1. Implement the authenticate method.
   2. Use the allow, deny, or abstain method on the Callback object to respond with the authentication decision.
2. Package your compiled Java class in a JAR file and put the JAR file in the ext directory of your Diffusion™ Cloud installation.
   This includes the authentication handler on the server classpath.
3. Edit the etc/Server.xml configuration file to point to your authentication handler.
   Include the authentication-handler element in the list of authentication handlers. The order of the list defines the order in which the authentication handlers are called. The value of the class attribute is the fully qualified name of your authentication handler class. For example:

   <security>
       <authentication-handlers>
               
           <authentication-handler class="com.example.ExampleAuthenticationHandler" />
           
       </authentication-handlers>
   </security>

4. Start or restart the Diffusion Cloud server.
   • On UNIX^® -based systems, run the diffusion.sh command in the diffusion_installation_dir/bin directory.
   • On Windows™ systems, run the diffusion.bat command in the diffusion_installation_dir\bin directory.