2.6.1.2 Client Authentication in the JMXMP connector

Authentication in the JMXMP connector is based on SASL. The handshake phase of a JMXMP connection can negotiate the SASL mechanism to use. The connector server can mandate a list of mechanisms, and reject connections that do not negotiate one of them. When a SASL mechanism successfully completes, it has authenticated a client identity, which is used to derive the Subject for the connection.

The SASL mechanisms DIGEST-MD5 and GSSAPI also provide connection privacy. For these mechanisms, a TLS connection is superfluous.

TLS also supports client authentication. The JMXMP connector can exploit this to accept only clients that can authenticate themselves, but in this case it does not currently support authorization based on the authenticated identity.