SASL Authentication

RabbitMQ has pluggable support for various SASL authentication mechanisms. There are three such mechanisms built into the server: PLAIN, AMQPLAIN, and RABBIT-CR-DEMO, and one - EXTERNAL - available as a plugin. You can also implement your own authentication mechanism by implementing the rabbit_auth_mechanism behaviour in a plugin.

Built-in mechanisms

The three built-in mechanisms are:

Server configuration

The configuration variable auth_mechanisms in the rabbit application determines which of the installed mechanisms are offered to connecting clients. This variable should be a list of atoms corresponding to mechanism names, for example [‘PLAIN’, 'AMQPLAIN’] by default. The server-side list is not considered to be in any particular order. See the configuration file documentation.

Client configuration

Java

The Java client does not use the javax.security.sasl package by default since this can be unpredictable on non-Oracle JDKs and is missing entirely on Android. There is a RabbitMQ-specific SASL implementation, configured by the SaslConfig interface. A class DefaultSaslConfig is provided to make SASL configuration more convenient in the common case. A class JDKSaslConfig is provided to act as a bridge to javax.security.sasl.

See ConnectionFactory.getSaslConfig() and ConnectionFactory.setSaslConfig(SaslConfig)

Erlang

The Erlang client provides its own SASL mechanism implementations in the amqp_auth_mechanisms module. The #amqp_params{} record can be provided with a list of authentication functions in preference order for network connections.

.Net

The .Net client provides its own SASL mechanism implementations based on the AuthMechanism and AuthMechanismFactory interfaces. The ConnectionFactory.AuthMechanisms property is a list of authentication mechanism factories in preference order.