Authentication and Authorization

When a client requests a connection, the client must supply a user name and password. The broker compares the specified name and password to those stored in the user repository. On transmitting the password from client to broker, the passwords are encoded using either base 64 encoding or message digest (MD5) hashing. MD5 is used for a flat file repository; base 64 is required for LDAP repositories. If using LDAP you may want to use the secure TLS protocol. You can set broker properties to configure the type of encoding used by each connection service separately or to set the encoding on a broker-wide basis.

When a user attempts to perform an operation, the broker checks the user’s name and group membership (from the user repository) against those specified for access to that operation (in the access control properties file). The access control properties file specifies permissions to users or groups for the following operations:

• Connecting to a broker

• Accessing destinations: creating a consumer, a producer, or a queue browser for any given destination or all destinations

• Auto-creating destinations

You set broker properties to specify the following information:

• Whether access control is enabled

• The name of the access control file

• How passwords should be encoded

• How long the system should wait for a client to respond to an authentication request from the broker

• Information required by secure connections