Anchor authentication authentication
<authentication>element instructs the MQTT server on whether clients should always send credentials when establishing a connection. Possible values are as follows:
This is the default value. If an MQTT client sends credentials, the server will validate them. If the client does not send credentials, the server will allow the client to establish the connection without authentication. This behavior adheres to the MQTT 3.1 specification.
If the MQTT client doesn't send credentials or if the credentials are invalid, the server will reject the connection. Note that if authentication is REQUIRED, the permissions linked to the credentials may also be checked depending on the value specified for <authorization> element.
<authenticator>element specifies the class that implements authentication. By default, the
org.wso2.carbon.andes.authentication.andes.CarbonBasedMQTTAuthenticatorclass is enabled, which authenticates the user's credentials against the carbon user store.
If required, you can disable the default authenticator and enable the
org.wso2.carbon.andes.authentication.andes.OAuth2BasedMQTTAuthenticatorauthenticator class as shown below. This class enables OAuth-based authentication and authorization for MQTT.
Code Block language xml
<mqtt enabled="true"> .............. <security> ......... <authenticator class="org.wso2.carbon.andes.authentication.andes.OAuth2BasedMQTTAuthenticator"> <property name="hostURL">https://localhost:9443/services/OAuth2TokenValidationService</property> <property name="username">admin</property> <property name="password">admin</property> <property name="maxConnectionsPerHost">10</property> <property name="maxTotalConnections">150</property> </authenticator> ...... </security> </mqtt>
Anchor authorization authorization
<authorization>element instructs the MQTT server on whether clients should have permission to publish messages to the broker or to subscribe to the broker. Possible values are as follows:
This is the default value. The MQTT client does not require permission for the purpose of publishing messages or to subscribe.
The permissions granted to the MQTT client will be checked before allowing the client to publish messages. This check will execute the class given in the
<authorizer>element that is explained below. Note that the
<authentication>element should be set to REQUIRED for authorization to be REQUIRED.
Anchor authorizer authorizer
<authorizer>element specifies the permissions required by a user to connect to the broker. This is applicable if the
<authorization>element is set to REQUIRED.
Code Block language xml
<mqtt enabled="true"> .............. <security> ........ <authorizer class="org.wso2.carbon.andes.authorization.andes.CarbonPermissionBasedMQTTAuthorizer"> <property name="connectionPermission">/permission/admin/mqtt/connect</property> </authorizer> </security> </mqtt>