Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

A newer version of this documentation is available.

View Latest

Authenticating against Couchbase Server

    +
    As well as Role-Based Access Control (RBAC), Couchbase offers connection with Certificate Authentication, and works transparently with LDAP.

    Our Getting Started guide covered the basics for authorizing against a Couchbase cluster, but you may need to use alternative authentication methods such as Certification.

    RBAC

    Our Getting Started guide introduced basic authentication against a Couchbase cluster:

    Cluster cluster = Cluster.connect("127.0.0.1", "username", "password");

    If you need to provide custom options, the same credentials can be supplied to the ClusterOptions:

    Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions("username", "password"));

    Note that this is actually just a convenience overload for the PasswordAuthenticator, which can also be used directly to supply more advanced options.

    PasswordAuthenticator authenticator = PasswordAuthenticator
  .builder()
  .username("username")
  .password("password")
  // enables only the PLAIN authentication mechanism, used with LDAP
  .allowedSaslMechanisms(EnumSet.of(SaslMechanism.PLAIN))
  .build();

Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator));

    In this example, the PLAIN authentication mechanism is enabled as well, which is needed if LDAP is enabled on the server side and no TLS encrypted connection is used.

    Unresolved include directive in modules/howtos/pages/sdk-authentication.adoc - include::6.5@sdk:shared:partial$auth-overview.adoc[]

    Unresolved include directive in modules/howtos/pages/sdk-authentication.adoc - include::6.5@sdk:shared:partial$auth-overview.adoc[]

    Authenticating the Java Client by Certificate

    For sample procedures whereby certificates can be generated and deployed, see Manage Certificates. The rest of this document assumes that the processes there, or something similar, have been followed. That is, a cluster certificate has been created and installed on the server, a client certificate has been created, and it is stored in a JVM keystore along with the cluster’s certificate.

    // should be replaced with your actual KeyStore
KeyStore keyStore = loadKeyStore();

CertificateAuthenticator authenticator = CertificateAuthenticator.fromKeyStore(keyStore, "keyStorePassword");
Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator));

    In addition to providing the initialized KeyStore directly, the CertificateAuthenticator can also be initialized from a key store path, a key directly or a KeyManagerFactory for maximum flexibility. Please see the API documentation for the CertificateAuthenticator for more details.

    Unresolved include directive in modules/howtos/pages/sdk-authentication.adoc - include::6.5@sdk:shared:partial$auth-overview.adoc[]

    PasswordAuthenticator authenticator = PasswordAuthenticator
  .builder()
  .username("username")
  .password("password")
  // enables only the PLAIN authentication mechanism, used with LDAP
  .allowedSaslMechanisms(EnumSet.of(SaslMechanism.PLAIN))
  .build();

Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator));