User authentication
You can configure Diffusion® to allow clients to connect anonymously. This means that any client can connect and create a session.
For most applications, you must authenticate a client before it creates a session.
To access Diffusion®, a client must provide the following authorisation details:
-
Principal: (user name) This is the name of a principal (the user or program that is trying to connect to Diffusion®).
-
Credentials: (password) This is typically a password, but it can be any information that authenticates the principal, such as a cryptographic key or an image.
Granting roles using custom authentication handlers
The decision about which roles to grant to which principal is made by an authentication handler.
Diffusion® has a built-in system authentication handler that uses principal, credential, and roles information stored in Diffusion®.
The Security tab on the Diffusion® console displays the state of system authentication handler.
You can also write your own custom control authentication handlers, which can connect to Diffusion® and make authentication decisions instead of the built-in handler.
The custom handler can recognise a completely separate set of principals.
If you have multiple handlers, they can work together. A handler can choose to:
-
ALLOW
orDENY
a connection, -
ABSTAIN
and pass the decision to another handler.
For example, you can create a custom handler which knows about certain principals.
If a principal that it doesn’t recognise tries to connect, it abstains and passes the decision to the system handler instead.