AuthManager (Global Authentication Configuration)

The AuthManager controls global authentication behaviour in MAPS.
It provides two top‑level switches and wiring for the server’s identity provider and security assets.

---

Global Switches

AuthManager:
  authenticationEnabled: true    # Enforce client authentication globally
  authorizationEnabled: false    # (Reserved) ACL/role checks – not yet implemented

• authenticationEnabled

  • true → listeners will challenge clients per their auth realm (e.g., public, ssl, anon).
  • false → server does not require authentication unless a listener enforces it explicitly (use with care).

• authorizationEnabled (reserved)
  Hooks exist, but server-side authorization/ACLs are not implemented yet. Keep this false.

warning

Authorization not yet implemented

AuthManager.authorizationEnabled is a placeholder.
Turning it on has no effect today; do not rely on it for access control.
Authentication is enforced if authenticationEnabled: true.

---

Minimal Example

AuthManager:
  authenticationEnabled: true
  authorizationEnabled: false
  config:
    identityProvider: "Encrypted-Auth"
    passwordHandler: "EncryptedPasswordCipher"
    configDirectory: "{{MAPS_DATA}}/.security"
    certificateStore:
      type: JKS
      path: "{{MAPS_DATA}}/.security/authKeystore.jks"
      passphrase: Password
      alias: default
      privateKey.name: default
      privateKey.passphrase: Password

This example uses the built‑in (encrypted) identity provider & password cipher with a local JKS keystore.

---

How AuthManager Fits With JAAS & Per‑Interface Auth

MAPS separates global auth wiring from per‑interface policy:

1. AuthManager.yaml (this page)

   • Enables auth/authorization server‑wide.
   • Loads the identity provider, password handler, keystores, and security paths.

2. JAAS (jaasAuth.config) (optional, when using JAAS providers)

   • Defines login modules (e.g., UsernamePasswordLoginModule, SSLAuthConfig, JWTAuthConfig, PrivateAuthConfig).
   • Each module encapsulates how to authenticate (internal DB, LDAP, OIDC/JWT, mTLS).

3. SecurityManager.yaml

   • Maps JAAS entries to named realms you reference elsewhere, e.g.:

     SecurityManager:
       - default: PublicAuthConfig
         public: UsernamePasswordLoginModule
         private: PrivateAuthConfig
         admin: MessagingAuthConfig
         anon: PublicAuthConfig
         ssl: SSLAuthConfig

4. NetworkManager.yaml (per listener/interface)

   • A listener picks a realm by name (from SecurityManager.yaml):

     - name: "MQTT SSL Interface"
       url: "ssl://0.0.0.0:1893/"
       protocol: mqtt, ws
       auth: public
       sasl:
         mechanism: "CRAM-MD5"
         identityProvider: system

This design lets you flip a global switch (AuthManager), define how to auth (JAAS modules), name your auth realms (SecurityManager), and apply them per interface (NetworkManager).

---

See Also

• Security Overview
• Authentication Configuration (JAAS + Realms)
• Protocol‑Level Considerations
• Implementation guides under Security → Implementation (LDAP, Auth0, Cognito, mTLS, etc.).