SASL Authentication

RabbitMQ has pluggable support for various SASL authentication mechanisms. There are three such mechanisms built into the server: PLAIN, AMQPLAIN, and RABBIT-CR-DEMO, and one - EXTERNAL - available as a plugin. You can also implement your own authentication mechanism by implementing the rabbit_auth_mechanism behaviour in a plugin. See the plugin development guide for more information on general plugin development.

Built-in mechanisms

The three built-in mechanisms are:

PLAIN
SASL PLAIN authentication. This is enabled by default in the RabbitMQ server and clients, and is the default for most other clients.
AMQPLAIN
Non-standard version of PLAIN as defined by the AMQP 0-8 specification. This is enabled by default in the RabbitMQ server, and is the default for QPid's Python client.
RABBIT-CR-DEMO
Non-standard mechanism which demonstrates challenge-response authentication. This mechanism has security equivalent to PLAIN, and is not enabled by default in the RabbitMQ server.

Server configuration

The configuration variable auth_mechanisms in the rabbit application determines which of the installed mechanisms are offered to connecting clients. This variable should be a list of atoms corresponding to mechanism names, for example ['PLAIN', 'AMQPLAIN'] by default. The server-side list is not considered to be in any particular order. See the configuration file documentation.

Client configuration

Java

The Java client does not use the javax.security.sasl package by default since this can be unpredictable on non-Oracle JDKs and is missing entirely on Android. There is a RabbitMQ-specific SASL implementation, configured by the SaslConfig interface. A class DefaultSaslConfig is provided to make SASL configuration more convenient in the common case. A class JDKSaslConfig is provided to act as a bridge to javax.security.sasl.

See ConnectionFactory.getSaslConfig() and ConnectionFactory.setSaslConfig(SaslConfig)

Erlang

The Erlang client provides its own SASL mechanism implementations in the amqp_auth_mechanisms module. The #amqp_params{} record can be provided with a list of authentication functions in preference order for network connections.

.Net

The .Net client provides its own SASL mechanism implementations based on the AuthMechanism and AuthMechanismFactory interfaces. The ConnectionFactory.AuthMechanisms property is a list of authentication mechanism factories in preference order.