Skip to main content

AuthManager (Global Authentication Configuration)

The AuthManager controls global authentication behaviour in MAPS.
It provides two top‑level switches and wiring for the server’s identity provider and security assets.

Global Switches

AuthManager:
  authenticationEnabled: true    # Enforce client authentication globally
  authorizationEnabled: false    # Enforce user authorisation of functions

  # Authentication security monitoring
  maxFailuresBeforeLock: 5
  initialLockSeconds: 30
  maxLockSeconds: 900
  failureDecaySeconds: 900
  enableSoftDelay: true
  softDelayMillisPerFailure: 200
  maxSoftDelayMillis: 2000

Settings Explained

authenticationEnabled

Type: boolean Default: true

Server wide switch that can enable or disable authentication and authorisation. It is highly recommended that it be enabled in a production environment

authorizationEnabled

Type: boolean Default: true

Server wide switch that can enable or disable Authorisation of users and access control to resources. It is highly recommended that it be enabled in production

maxFailuresBeforeLock

Type: integer
Default: 5

Number of consecutive authentication failures allowed before the account is locked.

  • Counts per username + source context (IP / endpoint).
  • Successful authentication resets the counter.

initialLockSeconds

Type: integer (seconds)
Default: 30

Duration of the first lockout once the failure threshold is reached.

  • Each subsequent lockout may increase in duration.
  • Designed to slow automated retry attempts.

maxLockSeconds

Type: integer (seconds)
Default: 900 (15 minutes)

Maximum lockout duration.

  • Prevents lockouts from growing unbounded.
  • Even persistent offenders eventually get another chance to behave.

failureDecaySeconds

Type: integer (seconds)
Default: 900

Time window after which old authentication failures decay.

  • If no failures occur during this period, the failure count gradually resets.
  • Allows recovery from occasional mistakes without manual intervention.

enableSoftDelay

Type: boolean
Default: true

Enables progressive response delays before a hard lockout occurs.

  • Each failed attempt introduces a small delay.
  • Slows down brute‑force attacks without immediately locking accounts.

softDelayMillisPerFailure

Type: integer (milliseconds)
Default: 200

Delay added per failed authentication attempt.

Example:

  • 1st failure → 200 ms delay
  • 3rd failure → 600 ms delay

maxSoftDelayMillis

Type: integer (milliseconds)
Default: 2000

Upper bound for accumulated soft delay.

  • Prevents excessive client‑side latency.
  • Once reached, further failures do not increase delay.

Behaviour Summary

StageEffect
Early failuresProgressive delay applied
Threshold reachedAccount locked
Repeated abuseLock duration increases
Quiet periodFailure count decays

This model balances security, usability, and operator sanity.

Minimal Example

AuthManager:
  authenticationEnabled: true
  authorizationEnabled: true


  # Authentication security monitoring
  maxFailuresBeforeLock: 5
  initialLockSeconds: 30
  maxLockSeconds: 900
  failureDecaySeconds: 900
  enableSoftDelay: true
  softDelayMillisPerFailure: 200
  maxSoftDelayMillis: 2000
  
  
  config:
    identityProvider: "Encrypted-Auth"
    passwordHandler: "EncryptedPasswordCipher"
    configDirectory: "{{MAPS_DATA}}/.security"
    certificateStore:
      type: JKS
      path: "{{MAPS_DATA}}/.security/authKeystore.jks"
      passphrase: Password
      alias: default
      privateKey.name: default
      privateKey.passphrase: Password

This example uses the built‑in (encrypted) identity provider & password cipher with a local JKS keystore.

How AuthManager Fits With JAAS & Per‑Interface Auth

MAPS separates global auth wiring from per‑interface policy:

  1. AuthManager.yaml (this page)

    • Enables auth/authorization server‑wide.
    • Loads the identity provider, password handler, keystores, and security paths.

  2. JAAS (jaasAuth.config) (optional, when using JAAS providers)

    • Defines login modules (e.g., UsernamePasswordLoginModule, SSLAuthConfig, JWTAuthConfig, PrivateAuthConfig).
    • Each module encapsulates how to authenticate (internal DB, LDAP, OIDC/JWT, mTLS).

  3. SecurityManager.yaml

    • Maps JAAS entries to named realms you reference elsewhere, e.g.: 
      SecurityManager:
        - default: PublicAuthConfig
          public: UsernamePasswordLoginModule
          private: PrivateAuthConfig
          admin: MessagingAuthConfig
          anon: PublicAuthConfig
          ssl: SSLAuthConfig

  4. NetworkManager.yaml (per listener/interface)

    • A listener picks a realm by name (from SecurityManager.yaml): 
      - name: "MQTT SSL Interface"
        url: "ssl://0.0.0.0:1893/"
        protocol: mqtt, ws
        auth: public
        sasl:
          mechanism: "CRAM-MD5"
          identityProvider: system

This design lets you flip a global switch (AuthManager), define how to auth (JAAS modules), name your auth realms (SecurityManager), and apply them per interface (NetworkManager).