User authentication

You can configure Diffusion® to allow clients to connect anonymously. This means that any client can connect and create a session.
For most applications, you must authenticate a client before it creates a session.

To access Diffusion®, a client must provide the following authorisation details:

  • Principal: (user name) This is the name of a principal (the user or program that is trying to connect to Diffusion®).

  • Credentials: (password) This is typically a password, but it can be any information that authenticates the principal, such as a cryptographic key or an image.

Granting roles using custom authentication handlers

The decision about which roles to grant to which principal is made by an authentication handler.
Diffusion® has a built-in system authentication handler that uses principal, credential, and roles information stored in Diffusion®.
The Security tab on the Diffusion® console displays the state of system authentication handler.

You can also write your own custom control authentication handlers, which can connect to Diffusion® and make authentication decisions instead of the built-in handler.
The custom handler can recognise a completely separate set of principals.

If you have multiple handlers, they can work together. A handler can choose to:

  • ALLOW or DENY a connection,

  • ABSTAIN and pass the decision to another handler.

For example, you can create a custom handler which knows about certain principals.
If a principal that it doesn’t recognise tries to connect, it abstains and passes the decision to the system handler instead.