Authentication on reconnect?
I'm developing an application with the Java API. The application is a long running server. We are authenticating with username and password, and our passwords are rotated every twelve hours.
It's not clear to me if sessions need to be reauthenticated on reconnection. If they do is there a way to update the PASSWORD in a way which will be pick it up by the reconnect attempt?
Thanks,
Jim
Comments
-
Hi Jim... yes, a Session needs to re-authenticate with the broker upon reconnection.
I just tried to change the JCSMPProperty.PASSWORD of an existing Session, and it causes an exception to be thrown. I tried doing
session.setProperty(JCSMPProperties.PASSWORD,"abc");
inside a JCSMPReconnectEventHandler, and it didn't work.But your use case is valid and interesting, so I'll raise with the Solace team internally about pros/cons of implementing.
In the meantime, I think you will have to
close()
the Session, change the password property, and then recreate the Session and callconnect()
again... so, not exactly a reconnect, more of a "new connection".0 -
@Aaron I'm just interested - did you try to change JCSMPProperty.PASSWORD of an existing session or a connected session? I'm just wondering if session state affects what can be done with the password. I assume that you can set a password, connect, disconnect, change the password and reconnect, but haven't had a chance to try.
0 -
@TomF doesn't matter. What Jim said: https://docs.solace.com/API-Developer-Online-Ref-Documentation/java/com/solacesystems/jcsmp/JCSMPSession.html#setProperty(java.lang.String, java.lang.Object)
Not very flexible, but there's probably some security considerations of modifying some of the Session properties. But I'd think being able to update the password would be a good one..?
@fijimf would using something like Kerberos help in this situation?
0 -
@Aaron stepping out of my area of competence here, so please don't pounce if I get details wrong. Our ops teams have chosen user password authentication backed by LDAP. Our UNIX clients use Kerberos credentials to generate a token which can be used against LDAP. As a security measure those tokens expire every few hours.
My understanding is that they are reluctant to use Solace's native Kerberos support because it would make connecting/authenticating more difficult across the enterprise from both Windows and Linux.
0 -
Hi Aaron & Jim,
Sorry to resurrect an old thread, but have there been any changes to to the way Solace authenticates on reconnect since Jim's original question?
I ask as we are facing the same issue as Jim but we go via the Python api. We supply a username and password generated via SSO, however if we ever have to reconnect the password is now no longer valid so the reconnection fails. Other than using a static password is there a way around this?
Could you expose a callback in order to regenerate the password on reconnect?
Many thanks
Alexander
0