- MongoDB Driver
- Reference
- Connecting
- Authenticating
Authentication
The Java driver supports all MongoDB authentication mechanisms, including those only available in the MongoDB Enterprise Edition.
An authentication credential is represented as an instance of the
MongoCredential
class, which includes static factory methods for
each of the supported authentication mechanisms. A list of these instances must be passed to the driver via one of several
MongoClient
constructors that take a
parameter of type List<MongoCredential>
. Alternatively, a single MongoCredential
can be created implicity via a
MongoClientURI
and passed to a MongoClient
constructor that takes a MongoClientURI
parameter.
Note
Given the flexibility of role-based access control in MongoDB, it is usually sufficient to authenticate with a single user, but, for completeness, the driver accepts a list of credentials.
Default authentication mechanism
MongoDB 3.0 changed the default authentication mechanism from MONGODB-CR to SCRAM-SHA-1. To create a credential that will authenticate properly regardless of server version, create a credential using the following static factory method:
import com.mongodb.MongoCredential;
// ...
String user; // the user name
String database; // the name of the database in which the user is defined
char[] password; // the password as a character array
// ...
MongoCredential credential = MongoCredential.createCredential(user,
database,
password);
or with a connection string:
MongoClientURI uri = new MongoClientURI("mongodb://user1:pwd1@host1/?authSource=db1");
This is the recommended approach as it will make upgrading from MongoDB 2.6 to MongoDB 3.0 seamless, even after upgrading the authentication schema.
SCRAM-SHA-1
To explicitly create a credential of type SCRAM-SHA-1 use the following static factory method:
MongoCredential credential = MongoCredential.createScramSha1Credential(user,
database,
password);
or with a connection string:
MongoClientURI uri = new MongoClientURI("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-1");
MONGODB-CR
To explicitly create a credential of type MONGODB-CR use the following static factory method:
MongoCredential credential = MongoCredential.createMongoCRCredential(user,
database,
password);
or with a connection string:
MongoClientURI uri = new MongoClientURI("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=MONGODB-CR");
Note that this is not recommended as a credential created in this way will fail to authenticate after an authentication schema upgrade from MONGODB-CR to SCRAM-SHA-1.
x.509
The x.509 mechanism authenticates a user whose name is derived from the distinguished subject name of the X.509 certificate presented by the driver during SSL negotiation. This authentication method requires the use of SSL connections with certificate validation and is available in MongoDB 2.6 and newer. To create a credential of this type use the following static factory method:
String user; // The x.509 certificate derived user name, e.g. "CN=user,OU=OrgUnit,O=myOrg,..."
MongoCredential credential = MongoCredential.createMongoX509Credential(user);
or with a connection string:
MongoClientURI uri = new MongoClientURI("mongodb://subjectName@host1/?authMechanism=MONGODB-X509");
See the MongoDB server x.509 tutorial for more information about determining the subject name from the certificate.
Kerberos (GSSAPI)
MongoDB Enterprise supports proxy authentication through a Kerberos service. To create a credential of type Kerberos (GSSAPI) use the following static factory method:
String user; // The Kerberos user name, including the realm, e.g. "user1@MYREALM.ME"
// ...
MongoCredential credential = MongoCredential.createGSSAPICredential(user);
Or via the connection string:
MongoClientURI uri = new MongoClientURI("mongodb://username%40MYREALM.com@host1/?authMechanism=GSSAPI");
Note
The method refers to the GSSAPI
authentication mechanism instead of Kerberos
because technically the driver is authenticating via the
GSSAPI SASL mechanism.
To successfully authenticate via Kerberos, the application typically must specify several system properties so that the underlying GSSAPI Java libraries can acquire a Kerberos ticket:
java.security.krb5.realm=MYREALM.ME
java.security.krb5.kdc=mykdc.myrealm.me
Depending on the Kerberos setup, it may be required to specify additional properties, either via code or, in some cases, the connection string.
-
This property is used when the service’s name is different that the default of
mongodb
.credential = credential.withMechanismProperty(MongoCredential.SERVICE_NAME_KEY, "othername");
Or via the connection string:
mongodb://username%40MYREALM.com@myserver/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:othername
-
This property is used when the fully qualified domain name (FQDN) of the host is required to properly authenticate.
credential = credential.withMechanismProperty(MongoCredential.CANONICALIZE_HOST_NAME_KEY, true);
Or via the connection string:
mongodb://username%40MYREALM.com@myserver/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOST_NAME:true
-
This property is used for overriding the Subject under which GSSAPI authentication executes.
LoginContext loginContext; // ... loginContext.login(); Subject subject = loginContext.getSubject() credential = credential.withMechanismProperty(MongoCredential.JAVA_SUBJECT_KEY, subject);
-
While rarely needed, this property is used to replace the SasClient properties.
Map<String, Object> saslClientProperties; // ... credential = credential.withMechanismProperty(MongoCredential.JAVA_SASL_CLIENT_PROPERTIES_KEY, saslClientProperties);
Note
The GSSAPI
authentication mechanism is supported only in the following environments:
- Linux: Java 6 and above
- Windows: Java 7 and above with SSPI
- OS X: Java 7 and above
LDAP (PLAIN)
MongoDB Enterprise supports proxy authentication through a Lightweight Directory Access Protocol (LDAP) service. To create a credential of type LDAP use the following static factory method:
String user; // The LDAP user name
char[] password; // The LDAP password
// ...
MongoCredential credential = MongoCredential.createPlainCredential(user, "$external", password);
or with a connection string:
MongoClientURI uri = new MongoClientURI("mongodb://user1@host1/?authSource=$external&authMechanism=PLAIN");
Note
The method refers to the plain
authentication mechanism instead of LDAP
because technically the driver is authenticating via the PLAIN SASL mechanism.