Authentication on reconnect?

fijimf
fijimf Member Posts: 6

I'm developing an application with the Java API. The application is a long running server. We are authenticating with username and password, and our passwords are rotated every twelve hours.

It's not clear to me if sessions need to be reauthenticated on reconnection. If they do is there a way to update the PASSWORD in a way which will be pick it up by the reconnect attempt?

Thanks,
Jim

Tagged:

Comments

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 508 admin

    Hi Jim... yes, a Session needs to re-authenticate with the broker upon reconnection.

    I just tried to change the JCSMPProperty.PASSWORD of an existing Session, and it causes an exception to be thrown. I tried doing session.setProperty(JCSMPProperties.PASSWORD,"abc"); inside a JCSMPReconnectEventHandler, and it didn't work.

    But your use case is valid and interesting, so I'll raise with the Solace team internally about pros/cons of implementing.

    In the meantime, I think you will have to close() the Session, change the password property, and then recreate the Session and call connect() again... so, not exactly a reconnect, more of a "new connection".

  • TomF
    TomF Member, Employee Posts: 406 Solace Employee

    @Aaron I'm just interested - did you try to change JCSMPProperty.PASSWORD of an existing session or a connected session? I'm just wondering if session state affects what can be done with the password. I assume that you can set a password, connect, disconnect, change the password and reconnect, but haven't had a chance to try.

  • fijimf
    fijimf Member Posts: 6

    The docs make it pretty clear that the properties which can be set on an existing session are pretty limited.

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 508 admin

    @TomF doesn't matter. What Jim said: https://docs.solace.com/API-Developer-Online-Ref-Documentation/java/com/solacesystems/jcsmp/JCSMPSession.html#setProperty(java.lang.String, java.lang.Object)

    Not very flexible, but there's probably some security considerations of modifying some of the Session properties. But I'd think being able to update the password would be a good one..?

    @fijimf would using something like Kerberos help in this situation?

  • fijimf
    fijimf Member Posts: 6

    @Aaron stepping out of my area of competence here, so please don't pounce if I get details wrong. Our ops teams have chosen user password authentication backed by LDAP. Our UNIX clients use Kerberos credentials to generate a token which can be used against LDAP. As a security measure those tokens expire every few hours.

    My understanding is that they are reluctant to use Solace's native Kerberos support because it would make connecting/authenticating more difficult across the enterprise from both Windows and Linux.

  • Aaron
    Aaron Member, Administrator, Moderator, Employee Posts: 508 admin

    Hey Jim... apologies for the delay. I've escalated your specific inquiry to the Solace SEs who manage your account. Hopefully they'll be in touch..!

  • AlexanderJHall
    AlexanderJHall Member Posts: 6

    Hi Aaron & Jim,

    Sorry to resurrect an old thread, but have there been any changes to to the way Solace authenticates on reconnect since Jim's original question?

    I ask as we are facing the same issue as Jim but we go via the Python api. We supply a username and password generated via SSO, however if we ever have to reconnect the password is now no longer valid so the reconnection fails. Other than using a static password is there a way around this?

    Could you expose a callback in order to regenerate the password on reconnect?

    Many thanks

    Alexander