SASL Authentication
RabbitMQ has pluggable support for various SASL authentication mechanisms. There are three such mechanisms built into the server: PLAIN, AMQPLAIN, and RABBIT-CR-DEMO, and one - EXTERNAL - available as a plugin. You can also implement your own authentication mechanism by implementing the rabbit_auth_mechanism behaviour in a plugin. See the plugin development guide for more information on general plugin development.
Built-in mechanisms
The three built-in mechanisms are:
- PLAIN
- SASL PLAIN authentication. This is enabled by default in the RabbitMQ server and clients, and is the default for most other clients.
- AMQPLAIN
- Non-standard version of PLAIN as defined by the AMQP 0-8 specification. This is enabled by default in the RabbitMQ server, and is the default for QPid's Python client.
- RABBIT-CR-DEMO
- Non-standard mechanism which demonstrates challenge-response authentication. This mechanism has security equivalent to PLAIN, and is not enabled by default in the RabbitMQ server.
Server configuration
The configuration variable auth_mechanisms in the rabbit application determines which of the installed mechanisms are offered to connecting clients. This variable should be a list of atoms corresponding to mechanism names, for example ['PLAIN', 'AMQPLAIN'] by default. The server-side list is not considered to be in any particular order. See the configuration file documentation.
Client configuration
Java
The Java client does not use the javax.security.sasl package by default since this can be unpredictable on non-Oracle JDKs and is missing entirely on Android. There is a RabbitMQ-specific SASL implementation, configured by the SaslConfig interface. A class DefaultSaslConfig is provided to make SASL configuration more convenient in the common case. A class JDKSaslConfig is provided to act as a bridge to javax.security.sasl.
See ConnectionFactory.getSaslConfig() and ConnectionFactory.setSaslConfig(SaslConfig)