Docs Menu
Docs Home
/
Languages
/
Scala
/
Scala
/
Security

Authentication Mechanisms

On this page

  • MongoCredential
  • Default Authentication Mechanism
  • SCRAM-Based Mechanisms
  • SCRAM-SHA-256
  • SCRAM-SHA-1
  • x.509

The Scala driver supports all MongoDB authentication mechanisms, including those available only in the MongoDB Enterprise Edition.

MongoCredential

An authentication credential is represented as an instance of the MongoCredential class. The MongoCredential class includes static factory methods for each of the supported authentication mechanisms.

Default Authentication Mechanism

In MongoDB 3.0, MongoDB changed the default authentication mechanism from MONGODB-CR to SCRAM-SHA-1. In MongoDB 4.0, support for the deprecated MONGODB-CR mechanism was removed and SCRAM-SHA-256 support was added.

To create a credential that authenticates by using the default authentication mechanism, regardless of server version, create a credential by using the createCredential() static factory method:

val user = "<username>"     // the username
val source = "<source>"     // the source where the user is defined
val password = ...          // the password as a character array
val credential = MongoCredential.createCredential(user, source, password)
val mongoClient = MongoClient(MongoClientSettings
    .builder()
    .applyToClusterSettings(builder =>
        builder.hosts(Collections.singletonList(ServerAddress("localhost", 27017))))
    .credential(credential)
    .build())

Or, you can use a connection string without explicitly specifying the authentication mechanism:

val mongoClient = MongoClient("mongodb://user1:pwd1@host1/?authSource=db1")

For challenge and response mechanisms, we recommend using the default authentication mechanism. This approach simplifies upgrading from MongoDB 2.6 to MongoDB 3.0, even after upgrading the authentication schema. For MongoDB 4.0 users, we also recommend the default authentication mechanism because it checks the mechanisms and uses the correct hashing algorithm.

SCRAM-Based Mechanisms

Salted Challenge-Response Authentication Mechanism (SCRAM) has been the default authentication mechanism for MongoDB since 3.0. SCRAM is based on the IETF RFC 5802 standard that defines best practices for implementation of challenge-response mechanisms for authenticating users with passwords.

MongoDB 3.0 introduced support for SCRAM-SHA-1, which uses the SHA-1 hashing function. MongoDB 4.0 introduced support for SCRAM-SHA-256 which uses the SHA-256 hashing function.

SCRAM-SHA-256

Using this mechanism requires MongoDB 4.0 and featureCompatibilityVersion to be set to 4.0.

To explicitly create a credential of type SCRAM-SHA-256, use the createScramSha256Credential() method:

val user = "<username>"     // the username
val source = "<source>"     // the source where the user is defined
val password = ...          // the password as a character array
val credential = MongoCredential.createScramSha256Credential(user, source, password)
val mongoClient = MongoClient(MongoClientSettings
    .builder()
    .applyToClusterSettings(builder =>
        builder.hosts(Collections.singletonList(ServerAddress("localhost", 27017))))
    .credential(credential)
    .build())

Or, you can use a connection string that explicitly specifies authMechanism=SCRAM-SHA-256:

val mongoClient = MongoClient("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-256")

SCRAM-SHA-1

To explicitly create a credential of type SCRAM-SHA-1, use the createScramSha1Credential() method:

val user = "<username>"     // the username
val source = "<source>"     // the source where the user is defined
val password = ...          // the password as a character array
val credential = MongoCredential.createScramSha1Credential(user, source, password)
val mongoClient = MongoClient(MongoClientSettings
    .builder()
    .applyToClusterSettings(builder =>
        builder.hosts(Collections.singletonList(ServerAddress("localhost", 27017))))
    .credential(credential)
    .build())

Or, you can use a connection string that explicitly specifies authMechanism=SCRAM-SHA-1:

val mongoClient = MongoClient("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-1")

x.509

With the x.509 mechanism, MongoDB uses the x.509 certificate presented during SSL negotiation to authenticate a user whose name is derived from the distinguished name of the x.509 certificate.

x.509 authentication requires the use of SSL connections with certificate validation. To create a credential of this type use the createMongoX509Credential() static factory method:

val credential = MongoCredential.createMongoX509Credential()
val mongoClient = MongoClient(MongoClientSettings
    .builder()
    .applyToClusterSettings(builder =>
        builder.hosts(Collections.singletonList(ServerAddress("localhost", 27017))))
    .credential(credential)
    .build())

Or, you can use a connection string that explicitly specifies authMechanism=MONGODB-X509:

val mongoClient = MongoClient("mongodb://subjectName@host1/?authMechanism=MONGODB-X509&ssl=true")

See the Use x.509 Certificates to Authenticate Clients tutorial in the Server manual to learn more about using x.509 certificates in your application.

Back

Security

Next

In-Use Encryption