Configuring Authentication and Client Negotiation
Authentication is disabled by default on the server for backward compatibility. Even if clients supply user credentials, they are accepted without verification.
To enable authentication on the server, you must set the Nirvana.auth.enabled system property in the Server_Common.conf file to Y.
Even when you enable authentication, authenticating clients can exist side-by-side with non-authenticating ones, meaning it is optional for clients to supply user credentials. If clients do not supply user credentials, they use authorization of the ACL model only.
To make authentication mandatory, you must set the Nirvana.auth.mandatory system property in the Server_Common.conf file to Y. Then clients that do not supply a username and password are rejected.
The following users are exempt from mandatory authentication:
The super-user on localhost to prevent being locked out.
A set of users in a .txt file specified in the optional JVM property
-DNirvana.auth.exempt=<path_to_file>. You list the users in the exempt file one per line in ACL-style notation, for example,
username1@10.140.2.95.
The exempt file supports wildcard-character entries using the * (asterisk) symbol, such as user@* and *@host. However, *@* is not supported because it will allow any user to bypass authentication.
Note:
The username * is a valid username, but if you add such a user to the exempt list, the user will be read as a wildcard. In such cases, Software AG recommends against using the * username.
When a client authenticates, the client provides the supplied credentials over a SASL mechanism where the server uses the configured modules to authenticate.