Authentication
On this page
The driver supports all MongoDB authentication mechanisms, including those available only in the MongoDB Enterprise Edition.
MongoCredential
Include the following import statements:
import com.mongodb.MongoCredential; import com.mongodb.ConnectionString; import com.mongodb.reactivestreams.client.MongoClients; import com.mongodb.reactivestreams.client.MongoClient;
An authentication credential is represented as an instance of the
MongoCredential class. The MongoCredential class includes
static factory methods for each of the supported authentication
mechanisms.
Default Authentication Mechanism
In MongoDB 3.0, MongoDB changed the default authentication mechanism
from MONGODB-CR to SCRAM-SHA-1. In MongoDB 4.0, support for
the deprecated MONGODB-CR mechanism was removed and SCRAM-
SHA-256 support was added.
To create a credential that authenticates by using the default
authentication mechanism, regardless of server version, create a
credential by using the createCredential() static factory method:
String user; // the user name String source; // the source where the user is defined char[] password; // the password as a character array // ... MongoCredential credential = MongoCredential.createCredential(user, source, password); MongoClient mongoClient = MongoClients.create( MongoClientSettings.builder() .applyToClusterSettings(builder -> builder.hosts(Arrays.asList(new ServerAddress("host1", 27017)))) .credential(credential) .build());
Or, you can use a connection string without explicitly specifying the authentication mechanism:
MongoClient mongoClient = MongoClients.create("mongodb://user1:pwd1@host1/?authSource=db1");
For challenge and response mechanisms, using the default authentication mechanism is the recommended approach, as it makes upgrading from MongoDB 2.6 to MongoDB 3.0 more simple, even after upgrading the authentication schema. For MongoDB 4.0 users, using the default authentication mechanism is also recommended as the mechanisms are checked and the correct hashing algorithm is used.
SCRAM-Based Mechanisms
Salted Challenge-Response Authentication Mechanism (SCRAM) has been
the default authentication mechanism for MongoDB since 3.0. SCRAM is
based on the IETF RFC 5802 standard that defines
best practices for implementation of challenge-response mechanisms for authenticating
users with passwords.
MongoDB 3.0 introduced support for SCRAM-SHA-1, which uses the
SHA-1 hashing function. MongoDB 4.0 introduced support for SCRAM-
SHA-256 which uses the SHA-256 hashing function.
SCRAM-SHA-256
Using this mechanism requires MongoDB 4.0 and
featureCompatibilityVersion to be set to 4.0.
To explicitly create a credential of type SCRAM-SHA-256, use
the createScramSha256Credential() method:
String user; // the user name String source; // the source where the user is defined char[] password; // the password as a character array // ... MongoCredential credential = MongoCredential.createScramSha256Credential(user, source, password); MongoClient mongoClient = MongoClients.create( MongoClientSettings.builder() .applyToClusterSettings(builder -> builder.hosts(Arrays.asList(new ServerAddress("host1", 27017)))) .credential(credential) .build());
Or, you can use a connection string that explicitly specifies
authMechanism=SCRAM-SHA-256:
MongoClient mongoClient = MongoClients.create("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-256");
SCRAM-SHA-1
To explicitly create a credential of type SCRAM-SHA-1, use the
createScramSha1Credential() method:
String user; // the user name String source; // the source where the user is defined char[] password; // the password as a character array // ... MongoCredential credential = MongoCredential.createScramSha1Credential(user, source, password); MongoClient mongoClient = MongoClients.create( MongoClientSettings.builder() .applyToClusterSettings(builder -> builder.hosts(Arrays.asList(new ServerAddress("host1", 27017)))) .credential(credential) .build());
Or, you can use a connection string that explicitly specifies
authMechanism=SCRAM-SHA-1:
MongoClient mongoClient = MongoClients.create("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-1");
MONGODB-CR
Important
Starting in version 4.0, MongoDB removes support for the deprecated
MongoDB Challenge-Response (MONGODB-CR) authentication mechanism.
If your deployment has user credentials stored in a MONGODB-CR schema,
you must upgrade to use a SCRAM-based mechanism before you
upgrade to version 4.0.
To explicitly create a credential of type MONGODB-CR use the
createMongCRCredential() static factory method:
String user; // the user name String database; // the name of the database in which the user is defined char[] password; // the password as a character array // ... MongoCredential credential = MongoCredential.createMongoCRCredential(user, database, password); MongoClient mongoClient = MongoClients.create( MongoClientSettings.builder() .applyToClusterSettings(builder -> builder.hosts(Arrays.asList(new ServerAddress("host1", 27017)))) .credential(credential) .build());
Or, you can use a connection string that explicitly specifies
authMechanism=MONGODB-CR:
MongoClient mongoClient = MongoClients.create("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=MONGODB-CR");
Note
After you upgrade the authentication schema from MONGODB-CR to SCRAM,
MONGODB-CR credentials will fail to authenticate.
X.509
With the X.509 mechanism, MongoDB uses the X.509 certificate presented
during SSL negotiation to authenticate a user whose name is derived
from the distinguished name of the X.509 certificate.
X.509 authentication requires the use of SSL connections with
certificate validation. To create a credential of this type use the
createMongoX509Credential() static factory method:
String user; // The X.509 certificate derived user name, e.g. "CN=user,OU=OrgUnit,O=myOrg,..." // ... MongoCredential credential = MongoCredential.createMongoX509Credential(user); MongoClient mongoClient = MongoClients.create( MongoClientSettings.builder() .applyToClusterSettings(builder -> builder.hosts(Arrays.asList(new ServerAddress("host1", 27017)))) .credential(credential) .build());
Or, you can use a connection string that explicitly specifies
authMechanism=MONGODB-X509:
MongoClient mongoClient = MongoClients.create("mongodb://subjectName@host1/?authMechanism=MONGODB-X509&ssl=true");
See the Use x.509 Certificates to Authenticate Clients tutorial in the Server manual to learn more about determining the subject name from the certificate.
Kerberos (GSSAPI)
MongoDB Enterprise supports proxy authentication through the Kerberos
service. To create a credential of type Kerberos (GSSAPI), use the
createGSSAPICredential() static factory method:
String user; // The Kerberos user name, including the realm, e.g. "user1@MYREALM.ME" // ... MongoCredential credential = MongoCredential.createGSSAPICredential(user); MongoClient mongoClient = MongoClients.create( MongoClientSettings.builder() .applyToClusterSettings(builder -> builder.hosts(Arrays.asList(new ServerAddress("host1", 27017)))) .credential(credential) .build());
Or, you can use a connection string that explicitly specifies
authMechanism=GSSAPI:
MongoClient mongoClient = MongoClients.create("mongodb://username%40REALM.ME@host1/?authMechanism=GSSAPI");
Note
The method refers to the GSSAPI authentication mechanism instead of
Kerberos because the driver authenticates by using the GSSAPI SASL mechanism.
To successfully authenticate by using Kerberos, the application typically must specify several system properties so that the underlying GSSAPI Java libraries can acquire a Kerberos ticket:
java.security.krb5.realm=MYREALM.ME java.security.krb5.kdc=mykdc.myrealm.me
Depending on the Kerberos setup, additional property specifications
might be required, either within the application code or, in some cases,
by using the withMechanismProperty() method of the MongoCredential
instance:
SERVICE_NAMECANONICALIZE_HOST_NAMEJAVA_SUBJECTJAVA_SASL_CLIENT_PROPERTIES
The following code shows how to specify the SERVICE_NAME property within the
MongoCredential object:
credential = credential.withMechanismProperty(MongoCredential.SERVICE_NAME_KEY, "othername");
Or, you can specify the SERVICE_NAME property within the ConnectionString:
uri = "mongodb://username%40MYREALM.com@myserver/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:othername"
LDAP (PLAIN)
MongoDB Enterprise supports proxy authentication through a
Lightweight Directory Access Protocol (LDAP) service. To create a
credential of type LDAP use the createPlainCredential() static
factory method:
String user; // The LDAP user name char[] password; // The LDAP password // ... MongoCredential credential = MongoCredential.createPlainCredential(user, "$external", password); MongoClient mongoClient = MongoClients.create( MongoClientSettings.builder() .applyToClusterSettings(builder -> builder.hosts(Arrays.asList(new ServerAddress("host1", 27017)))) .credential(credential) .build());
Or, you can use a connection string that explicitly specifies
authMechanism=PLAIN:
MongoClient mongoClient = MongoClients.create("mongodb://user1@host1/?authSource=$external&authMechanism=PLAIN");
Note
The method refers to the PLAIN authentication mechanism instead of
LDAP because the driver authenticates by using the PLAIN
SASL mechanism.