Universal Messaging 9.7 | Universal Messaging Concepts | Security | Authentication | Using SASL | Client
 
Client
If the pre-existing session connection methods with no username/password parameters are used, then the client will continue to use unauthenticated sessions as before (assuming the server is configured to allow that), i.e. by defaulting the user identity to the username under whose identity the client process is running (as reflected in the Java "user.name" system property). The client API is controlled by two main Java system properties.
*Nirvana.auth.client.jaaskey
If set, this means that any authentication should be performed via JAAS and its value specifies the name of the entry to use in the JAAS login configuration file. JAAS is an established Java standard which is beyond the scope of the UM documentation and the login configuration file's pathname is specified by the usual JAAS system property, java.security.auth.login.config. The Nirvana client SDK supplies the username and password to the JDK's built-in JAAS subsystem, and the JAAS login config file specifies one or more pluggable JAAS modules that will perform the authentication. The precise modules to use are a matter of site-specific policies determined by the Nirvana admins, and the JAAS modules configured into a client should obviously be aligned with those configured on the server. If Nirvana.auth.client.jaaskey is not set, then the authentication mechanism defaults to SASL.
*nirvana.sasl.client.mech
This specifies which SASL mechanism to use, and the supported options are Plain or CRAM-MD5. The mechanism defaults to Plain if this system property is not set, and the usual SASL trade-offs apply. SASL-Plain transmits the user password in cleartext, so it is advisable to only use it over an SSL connection, while Cram-MD5 does not transmit it in cleartext, but does require it to be stored in plaintext on the server (whereas Plain can work with stored passwords in either plain or encrypted format).
One of the JAAS modules available is the Nirvana class, com.pcbsys.foundation.security.sasl.fSaslClientLoginModule, which will result in the authentication being performed via SASL after all, despite initially being routed via JAAS. From the server's perspective, the authentication negotiation is conducted entirely in SASL. The fSaslClientLoginModule class is integrated with the Software AG family of JAAS modules, and one reason you might opt for this JAAS-SASL hybrid is to chain it with other SAG modules.
Copyright © 2013-2015 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.