Docs Menu
Docs Home
/ / /
Java Sync
/

Enterprise Authentication Mechanisms

On this page

  • Overview
  • Specify an Authentication Mechanism
  • Mechanisms
  • Kerberos (GSSAPI)
  • LDAP (PLAIN)

In this guide, you can learn how to authenticate with MongoDB using each authentication mechanism available exclusively in the MongoDB Enterprise Edition.

You can use the following mechanisms with the latest version of MongoDB Enterprise Edition:

  • Kerberos (GSSAPI)

  • LDAP (PLAIN)

To authenticate using another mechanism, see the Authentication Mechanisms guide. For more information on establishing a connection to your MongoDB cluster, read our Connection Guide.

You can specify your authentication mechanism and credentials when connecting to MongoDB using either of the following:

  • A connection string

  • A MongoCredential factory method

A connection string (also known as a connection uri) specifies how to connect and authenticate to your MongoDB cluster.

To authenticate using a connection string, include your settings in your connection string and pass it to the MongoClients.create() method to instantiate your MongoClient. Select the Connection String tab to see the syntax for authenticating using a connection string.

Alternatively, you can use the MongoCredential class to specify your authentication details. The MongoCredential class contains static factory methods that construct instances containing your authentication mechanism and credentials. When you use the MongoCredential helper class, you need to use the MongoClientSettings.Builder class to configure your connection settings when constructing your MongoClient. Select the MongoCredential tab to see the syntax for authenticating using a MongoCredential.

For more information on these classes and methods, refer to the following API documentation:

The Generic Security Services API (GSSAPI) authentication mechanism allows the user to authenticate to a Kerberos service using the user's principal name.

Note

The method refers to the GSSAPI authentication mechanism instead of Kerberos because the driver authenticates using the GSSAPI RFC-4652 SASL mechanism.

The following code snippets show how to specify the authentication mechanism, using the following placeholders:

  • username - your URL-encoded principal name, e.g. "username%40REALM.ME"

  • hostname - network address of your MongoDB deployment, accessible by your client

  • port - port number of your MongoDB deployment

Select the Connection String or the MongoCredential tab below for instructions and sample code for specifying this authentication mechanism:

To specify the GSSAPI authentication mechanism using a connection string:

  • Assign the authMechanism URL parameter to the value GSSAPI

  • (optional) Assign the authSource URL parameter to the value $external

Note

If you specify the GSSAPI mechanism, you cannot assign authSource to any value other than $external.

Your code to instantiate a MongoClient should look something like this:

MongoClient mongoClient = MongoClients.create("<db_username>@<hostname>:<port>/?authSource=$external&authMechanism=GSSAPI");

To specify the GSSAPI authentication mechanism using the MongoCredential class, use the createGSSAPICredential() method. Your code to instantiate a MongoClient should look something like this:

MongoCredential credential = MongoCredential.createGSSAPICredential(<db_username>);
MongoClient mongoClient = MongoClients.create(
MongoClientSettings.builder()
.applyToClusterSettings(builder ->
builder.hosts(Arrays.asList(new ServerAddress("<hostname>", <port>))))
.credential(credential)
.build());

In order to acquire a Kerberos ticket, the GSSAPI Java libraries require you to specify the realm and Key Distribution Center (KDC) system properties. See the sample settings in the following example:

java.security.krb5.realm=MYREALM.ME
java.security.krb5.kdc=mykdc.myrealm.me

You may need to specify one or more of the following additional MongoCredential mechanism properties depending on your Kerberos setup:

  • SERVICE_NAME

  • CANONICALIZE_HOST_NAME

  • JAVA_SUBJECT

  • JAVA_SASL_CLIENT_PROPERTIES

  • JAVA_SUBJECT_PROVIDER

Important

You can only specify the following GSSAPI properties using the MongoCredential:

  • JAVA_SUBJECT

  • JAVA_SASL_CLIENT_PROPERTIES

  • JAVA_SUBJECT_PROVIDER

Select the MongoCredential tab to see how to specify them.

To specify one of the GSSAPI additional properties, include it in the connection string as a URL parameter using the format: <PROPERTY_NAME>:<value>.

Your code to instantiate a MongoClient using GSSAPI and additional properties might look something like this:

MongoClient mongoClient = MongoClients.create("<db_username>@<hostname>:<port>/?authSource=$external&authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:myService");

To specify one of the GSSAPI additional properties, call the withMechanismProperty() method on your MongoCredential instance and pass the property name and value as parameters. Use the property name constants defined in the MongoCredential class:

Select the SERVICE_NAME_KEY or JAVA_SUBJECT_KEY tab to see sample code to instantiate a MongoCredential that uses GSSAPI and the selected property:

MongoCredential credential = MongoCredential.createGSSAPICredential(<db_username>);
credential = credential.withMechanismProperty(MongoCredential.SERVICE_NAME_KEY, "myService");
LoginContext loginContext = new LoginContext(<LoginModule implementation from JAAS config>);
loginContext.login();
Subject subject = loginContext.getSubject();
MongoCredential credential = MongoCredential.createGSSAPICredential(<db_username>);
credential = credential.withMechanismProperty(MongoCredential.JAVA_SUBJECT_KEY, subject);

By default, the Java driver caches Kerberos tickets by MongoClient instance. If your deployment needs to frequently create and destroy MongoClient instances, you can change the default Kerberos ticket caching behavior to cache by process to improve performance.

To cache Kerberos tickets by process, you must use the MongoCredential authentication mechanism, as the connection string authentication mechanism does not support the JAVA_SUBJECT_PROVIDER mechanism property. If you would like to cache Kerberos tickets by process, select the MongoCredential tab to learn how to accomplish this.

To cache Kerberos tickets by process, you must specify the JAVA_SUBJECT_PROVIDER mechanism property and provide a KerberosSubjectProvider in your MongoCredential instance. The code to configure the Java driver to cache Kerberos tickets by process should resemble the following:

/* all MongoClient instances sharing this instance of KerberosSubjectProvider
will share a Kerberos ticket cache */
String myLoginContext = "myContext";
MongoCredential credential = MongoCredential.createGSSAPICredential(<db_username>);
/* login context defaults to "com.sun.security.jgss.krb5.initiate"
if unspecified in KerberosSubjectProvider */
credential = credential.withMechanismProperty(MongoCredential.JAVA_SUBJECT_PROVIDER_KEY,
new KerberosSubjectProvider(myLoginContext));

Note

On Windows, Oracle’s JRE uses LSA rather than SSPI in its implementation of GSSAPI which limits interoperability with Windows Active Directory and implementations of single sign-on. See the following articles for more information:

Available in MongoDB Enterprise Edition 3.4 and later.

You can authenticate to a Lightweight Directory Access Protocol (LDAP) server using your directory server username and password.

Tip

The authentication mechanism is named PLAIN instead of LDAP since it authenticates using the PLAIN Simple Authentication and Security Layer (SASL) defined in RFC-4616.

You can specify this authentication mechanism by setting the authMechanism parameter to PLAIN and including your LDAP username and password in the connection string.

The following code snippets show how to specify the authentication mechanism, using the following placeholders:

  • username - your LDAP username

  • password - your LDAP user's password

  • hostname - network address of your MongoDB deployment, accessible by your client

  • port - port number of your MongoDB deployment

Select the Connection String or the MongoCredential tab below for instructions and sample code for specifying this authentication mechanism:

To specify the LDAP (PLAIN) authentication mechanism using a connection string:

  • Assign the authMechanism URL parameter to the value PLAIN

  • (optional) Assign the authSource URL parameter to the value $external

Note

If you specify the PLAIN mechanism, you cannot assign authSource to any value other than $external.

Your code to instantiate a MongoClient should look something like this:

MongoClient mongoClient = MongoClients.create("<db_username>:<db_password>@<hostname>:<port>/?authSource=$external&authMechanism=PLAIN");

To specify the LDAP (PLAIN) authentication mechanism using the MongoCredential class, use the createPlainCredential() method. Your code to instantiate a MongoClient should look something like this:

MongoCredential credential = MongoCredential.createPlainCredential(<db_username>, "$external", <db_password>);
MongoClient mongoClient = MongoClients.create(
MongoClientSettings.builder()
.applyToClusterSettings(builder ->
builder.hosts(Arrays.asList(new ServerAddress("<hostname>", <port>))))
.credential(credential)
.build());

Back

Authentication Mechanisms