Wire listener authentication

The wire listener uses an MD5-hash mechanism to verify that applications are a trusted source of messages.

The wire listener connects with a proxy user to the database. The proxy user must have DBADM privileges.

When the incoming message from a client application is authenticated by the wire listener, the listener submits the request to the database with a proxy user connection. The proxy user must have JSON collection manager and JSON document user roles for all JSON collections that should be accessible with this wire listener.

The application must authenticate users. It accepts user ID, password if applicable. Applications might accept unauthenticated users, in which case, the application must ensure that such users can only run approved queries.

The wire listener keeps a registration file on the host, which contains a list of registered applications and MD5-hash-tokens. These tokens might be per application, per application and schema, or just a single token per wire listener. This registration file is maintained by the JSON administrator by using a wire listener script. Access to the configuration list is controlled by operating system security, so that only those with access to the system and read or write access to the directory can work with the file.

The application sends messages with the user queries to the wire listener. The application must know the connection information (host, port) and have a valid token for the listener. The token is exchanged between the application manager and wire listener manager. The application id or token is then sent by the application by using the user ID and md5-hash mechanism in the message that is otherwise used for user ID or password.

The wire listener authenticates the application user ID only once, rather than for every message it receives from the application for a user. If the application switches the user ID then it is authenticated again by the wire listener.