SystemAuthentication.store
The SystemAuthentication.store file defines the roles that are assigned by the system authentication handler to client sessions that have authenticated with a specific security principal. It also defines whether anonymous connections are allowed or denied.
The following sections each describe the syntax for a single line of the file.
Adding a principal
![A railroad diagram that describes the syntax used to add a principal to the system authentication store: ADD PRINCIPAL principal password. This can, optionally, be followed by a comma-separated list of roles inside square brackets.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_add_principal.png)
add principal "user6" "passw0rd" add principal "user13" "passw0rd" ["CLIENT", "TOPIC_CONTROL"]
The password is passed in as plain text, but is stored in the system authentication store as a secure hash.
Removing a principal
![A railroad diagram that describes the syntax used to remove a principal from the system authentication store: REMOVE PRINCIPAL principal.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_remove_principal.png)
remove principal "user25"
Assigning roles to a principal
![A railroad diagram that describes the syntax used to assign roles to a principal in the system authentication store: ASSIGN ROLES principal, followed by a comma-separated list of roles inside square brackets.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_assign_roles.png)
assign roles "agent77" ["CLIENT", "CLIENT_CONTROL"]
When you use this command to assign roles to a principal, it overwrites any existing roles assigned to that principal. Ensure that all the roles you want the principal to have are listed in the command.
Setting the password for a principal
![A railroad diagram that describes the syntax used to set the password of a principal in the system authentication store: SET PASSWORD principal password.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_set_pw.png)
set password "user1" "passw0rd"
The password is passed in as plain text, but is stored in the system authentication store as a secure hash.
Verifying the password for a principal
![A railroad diagram that describes the syntax used to verify the password of a principal in the system authentication store: VERIFY PASSWORD principal password.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_verify_pw.png)
verify password "user1" "passw0rd"
The password is passed in as plain text, but is stored in the system authentication store as a secure hash.
Allowing anonymous connections
![A railroad diagram that describes the syntax used to tell the system authentication handler to allow anonymous connections: ALLOW ANONYMOUS CONNECTIONS. This can, optionally, be followed by a comma-separated list of roles inside square brackets.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_allow_anon.png)
allow anonymous connections [ "CLIENT" ]
Denying anonymous connections
![A railroad diagram that describes the syntax used to tell the system authentication handler to deny anonymous connections: DENY ANONYMOUS CONNECTIONS.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_deny_anon.png)
deny anonymous connections
Abstaining from providing a decision about anonymous connections
![A railroad diagram that describes the syntax used to tell the system authentication handler to abstain from decisions about anonymous connections: ABSTAIN ANONYMOUS CONNECTIONS.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_abstain_anon.png)
abstain anonymous connections
Accepting client-proposed session properties with approved values
![A railroad diagram that describes the syntax used to tell the system authentication handler to accept client-proposed properties from a list.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_trust_property_value_list.png)
trust client proposed property "Foo" if value in ["x", "y", "z"]
Accepting client-proposed session properties matching a regex
![A railroad diagram that describes the syntax used to tell the system authentication handler to accept client-proposed properties matching a regex.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_trust_property_regex.png)
trust client proposed property "Foo" if value matches "^\d{3}-?\d{2}-?\d{4}$"
Use Java-style regular expressions. Evaluation uses java.util.regex.Pattern.
Removing a previously-declared trusted client-proposed session property
![A railroad diagram that describes the syntax used to tell the system authentication handler to ignore a previously trusted client-proposed property.](../../../developerguide/client/security/systemauthenticationcontrol/railroad_ignore_property.png)
ignore client proposed property "Foo"
Isolating a path from permissions inheritance
![A railroad diagram that describes the syntax used to isolate a path..](../../../developerguide/client/security/systemauthenticationcontrol/railroad_isolate_path.png)
isolate path "foo/bar/baz"