{"id":8169,"date":"2013-02-06T19:00:44","date_gmt":"2013-02-06T17:00:44","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=8169"},"modified":"2013-02-06T06:47:23","modified_gmt":"2013-02-06T04:47:23","slug":"mongodb-authentication","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html","title":{"rendered":"MongoDB Authentication"},"content":{"rendered":"

I recently<\/a> updated mongometer<\/a> to make it a bit more flexible. Shortly after releasing the new version, one of the users fed back an issue via a comment on the post. I booted up my machine, opened up my IDE, found the issue and had pushed the fix out to github<\/a> within half-an-hour. This isn’t a quick turn-around, success story post. It quickly dawned on me that if I was going to do anything in the future with mongometer, I should really know a little more about how a user authenticates against a database within MongoDB. (I don’t want to spend more than an hour or so on this as I’ve just cracked open a bottle of Nyetimber Classic Cuvee – I’m also cooking a chicken pie (ping me if you want the recipe) and I’d rather be finished this post before I finish the bottle.) Before diving into any documentation that may exist around MongoDB Security, I’ll start with a few observations.
\n 
\nSo in typical man style, let’s kick the tyres and then if required, RTFM. Start up a mongod instance.<\/p>\n

$ \/usr\/lib\/mongodb\/2.3.2\/bin\/mongod --port 27001 --fork --dbpath \/data\/db\/2.3.2 --logpath \/data\/db\/2.3.2\/mongod.log\r\n$ .\/mongo --port 27001<\/pre>\n
Create an admin user<\/p>\n
 > use admin\r\n> db.addUser('mongouser','mongopass')\r\n1<\/pre>\n
Restart mongod<\/p>\n
$ sudo kill -15 $(ps -ef | grep mongo | grep -v grep | cut -f8 -d' ')\r\n$ \/usr\/lib\/mongodb\/2.3.2\/bin\/mongod --port 27001 --fork --auth --dbpath \/data\/db\/2.3.2 --logpath \/data\/db\/2.3.2\/mongod.log\r\n$ .\/mongo --port 27001\r\n<\/pre>\n
Authenticate to admin<\/p>\n
 > use admin\r\nswitched to db admin\r\n> db.aut('mongouser','mongopass')\r\nThu Jan 31 13:53:31.271 javascript execution failed (shell):1 TypeError: Property 'aut' of object admin is not a function\r\ndb.aut('mongouser','mongopass')\r\n^ <\/pre>\n
> db.aut('mongouser','mongopass')<\/pre>\n
Ooops. Fat-fingered it. Hang on, I think I’ve found Issue #1<\/p>\n
Issue #1<\/h3>\n
If an admin user mistypes the auth command and not the credentials, then the actual credentials stay in the shell history, which persists across sessions. Any other user could potentially come along and view the shell history and pick the credentials up.<\/p>\n
On the other hand, if the command is correct and either the username or password or both are incorrect, or indeed if the authentication attempts succeeds, then the command is not kept in the history. (The command history for the mongo shell is available in the same way as on a linux box – using the up arrow)<\/p>\n
 > db.auth('mongouser','mongopass0')\r\n{ ok: 0.0, errmsg: 'auth fails' }\r\n0\r\n> db.auth('mongouser0','mongopass0')\r\n{ ok: 0.0, errmsg: 'auth fails' }\r\n0\r\n> db.auth('mongouser0','mongopass')\r\n{ ok: 0.0, errmsg: 'auth fails' }\r\n0 <\/pre>\n
Ok. Let’s authenticate against admin<\/em> and continue.<\/p>\n
> use admin\r\nswitched to db admin\r\n> db.auth('mongouser','mongopass')\r\n1 <\/pre>\n
Oooops. I almost missed one there.<\/p>\n
Issue #2<\/h3>\n
Until the mongod instance is restarted, any user can…<\/p>\n
 > use admin\r\nswitched to db admin\r\n> db.system.users.find()\r\n{ '_id' : ObjectId('510a58c6de50e136190f9ed7'), 'user' : 'mongouser', 'readOnly' : false, 'pwd' : 'c49caa1cb6b287ff6b1deaeeb8f4d149' } <\/pre>\n
…grab the usernames and hashes. So, now that I’ve restarted the mongod instance, any user is going to have to authenticate against admin<\/em> to be able to view the contents of system.users<\/em>. Now, continuing on from entering incorrect credentials, I’m going to launch a dictionary attack and see what happens. Oh dear. Found another issue.
 
<\/div> <\/div><\/p>\n
Issue #3<\/h3>\n
There is no lock-out. I wrote a quick hack to connect to the mongod instance, to switch over to admin<\/em> and attempt to log in. Using a rather large dictionary (with ‘mongopass’ tacked on at the end) I attempted to log in over a million times. This was only a crude single-threaded attempt that took around 17 seconds to complete, but it shows that there is no account lock out. I’m confident I could put together a multi-threaded brute-forcer if required. I’ll need to look into this further to see if there is any brute forcing\/dictionary attack alerting that can be configured or whether there is a lock-out policy that can be applied. I’m not ready to RTFM just yet. Let’s take a closer look at the format of the password in system.users<\/em>.<\/p>\n
 c49caa1cb6b287ff6b1deaeeb8f4d149 <\/pre>\n
That looks like an MD5<\/a> to me. Let’s take a look in the code, which is available to cruise on github<\/a>. Wow! I got luck straight off-the-bat. db.js<\/a> has the following method:<\/p>\n
function _hashPassword(username, password) {\r\nreturn hex_md5(username + ':mongo:' + password);\r\n} <\/pre>\n
With hex_md5 then referencing native_hex_md5 within utils.cpp<\/a>:<\/p>\n
void installGlobalUtils( Scope& scope ) {\r\nscope.injectNative( 'hex_md5' , native_hex_md5 );\r\nscope.injectNative( 'version' , native_version );\r\nscope.injectNative( 'sleep' , native_sleep );\r\ninstallBenchmarkSystem( scope );\r\n}\r\n\r\nstatic BSONObj native_hex_md5( const BSONObj& args, void* data ) {\r\nuassert( 10261, 'hex_md5 takes a single string argument -- hex_md5(string)',\r\nargs.nFields() == 1 && args.firstElement().type() == String );\r\nconst char * s = args.firstElement().valuestrsafe();\r\n\r\nmd5digest d;\r\nmd5_state_t st;\r\nmd5_init(&st);\r\nmd5_append( &st , (const md5_byte_t*)s , strlen( s ) );\r\nmd5_finish(&st, d);\r\n\r\nreturn BSON( '' << digestToString( d ) );\r\n}<\/pre>\n
Time for a quick recap. Just in case you missed anything:<\/p>\n
    \n
  1. the hashing algorithm is MD5<\/a>; my least favourite hashing algorithm.<\/li>\n
  2. the string to be hashed is in the form username + ':mongo:' + password<\/code>; using the same ‘salt’ is non-optimal…<\/li>\n
  3. the string :mongo:<\/code> is global; I’m not really sure why it’s there at all tbh.<\/li>\n<\/ol>\n
    I think this is probably enough to go with for now, else this will turn into a tl;dr and I may exceed my self imposed time constraints. Thinking back to any discussions I had with regards to MongoDB, the same statements always arose within the context of Security.<\/p>\n
      \n
    1. Authentication is off by default.<\/li>\n
    2. MongoDB was always meant to be deployed in a trusted environment<\/li>\n<\/ol>\n
      I have to say that even with authentication on, we still have some gnarly issues. Further, I don’t think a trusted environment<\/em> exists. Right then, time to RTFM with regards to Security. I’m hoping to find a roadmap defined that will deal with the issues stated above or there are already some mitigating steps that can be taken. So, there are some<\/em> Authentication<\/a> features coming out in the near future<\/a>. It looks like the new authentication features are only available under the MongoDB Subscriber Edition<\/strong>, I’m not sure what that means tbh… I also came across this know issue<\/a>, which forms the basis for…<\/p>\n
      Issue #4<\/h3>\n
      ‘if a user has the same password in multiple databases, the hash will be the same on all database. A malicious user could exploit this to gain access on a second database use a different users\u2019 credentials.’ [sic] Let’s break that down.<\/p>\n
      \n
      ‘if a user has the same password in multiple databases, the hash will be the same on all database.’<\/p>\n<\/blockquote>\n
      Yes. Correct. Same username, same password and same ‘salt’ (ie the ‘:mongo:’ string’) equals same hash. OK, cool, let’s move on.<\/p>\n
      \n
      ‘A malicious user could exploit this to gain access on a second database use a different users\u2019 credentials.’ [sic]<\/p>\n<\/blockquote>\n
      A malicious user could exploit this if, and only if they have a non-readonly user on both databases involved.<\/p>\n
      If they only have readonly access, then they cannot list the system.users<\/em> collection. In which case they will never see that the hashes are the same across different databases in the first place. If they are not readonly, then they could list the system.users<\/em> collection and take the hashed passwords offline to crack.<\/p>\n
      You’re going to have to move into cracking territory if the hashes don’t match across databases, in summary:<\/p>\n
        \n
      1. the user<\/em> attribute would have be the same. The odds of different users on different databases having the user<\/em> could be high.<\/li>\n
      2. the pwd<\/em> attribute would have be the same. The odds of different users creating the same pwd<\/em> is probably quite high.<\/li>\n
      3. the ‘salt’ is the same, so it has no real relevance here.<\/li>\n<\/ol>\n
        So the problem here is that a user (that is not readonly) can pull all the password hashes for a given database and take them offline to crack. The malicious user already has the user<\/em> name and the ‘salt’, all they have to find is the password.<\/p>\n
        Conclusions<\/h2>\n
        Issue #1<\/h3>\n
        This one is a bit of a pain tbh. When the command is entered correctly (ignoring whether the credentials are correct or not) the command is not shown in the history. When the command is not entered correctly, then it is difficult to know what to exclude from the command history. I guess you could retrospectively remove commands that resulted in errors (ie invalid commands) that preceded the authentication. That is not a solution…<\/p>\n
        Issue #2<\/h3>\n
        There may be an argument that once the admin user is created in system.users<\/em> in the admin<\/em> database that a restart should be forced.<\/p>\n
        Issue #3<\/h3>\n
        A no-brainer. I’ve written password policies on multiple occasions (what a fun life I live, eh?), account lock-out is password 101.<\/p>\n
        Issue #4<\/h3>\n
        It seems that creating a ‘salt’ (‘:mongo:’) per database would resolve the issue. Looking at the code, it looks like the implementation is a doddle, a quick and easy win. Adding the option to manually set it would be grand. Implementing a unique ‘salt’ under the covers such that users didn’t have to think about it would be equally grand. So, Nyetimber finished, post finished. I’m not saying that there is anything in this post that is new or clever, it’s a cursory glance. I’m not having a go; everything I’ve mentioned is merely observation. I install mongo on almost a daily basis because it’s a great product, I do however like having a balanced view and identifying any elephants in the room. I’d be interested in any feedback.
        \n <\/p>\n
        Reference: <\/em><\/strong>MongoDB Authentication<\/a> from our JCG partner<\/a> Jan Ettles at the Exceptionally exceptional exceptions<\/a> blog.<\/p>\n","protected":false},"excerpt":{"rendered":"
        I recently updated mongometer to make it a bit more flexible. Shortly after releasing the new version, one of the users fed back an issue via a comment on the post. I booted up my machine, opened up my IDE, found the issue and had pushed the fix out to github within half-an-hour. This isn’t …<\/p>\n","protected":false},"author":124,"featured_media":187,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[112,113],"class_list":["post-8169","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-mongodb","tag-nosql"],"yoast_head":"\nMongoDB Authentication<\/title>\n<meta name=\"description\" content=\"I recently updated mongometer to make it a bit more flexible. Shortly after releasing the new version, one of the users fed back an issue via a comment on\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MongoDB Authentication\" \/>\n<meta property=\"og:description\" content=\"I recently updated mongometer to make it a bit more flexible. Shortly after releasing the new version, one of the users fed back an issue via a comment on\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html\" \/>\n<meta property=\"og:site_name\" content=\"Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-06T17:00:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/mongodb-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jan Ettles\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jan Ettles\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html\"},\"author\":{\"name\":\"Jan Ettles\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/eb450557d0e068cddb965109b6e2f0b5\"},\"headline\":\"MongoDB Authentication\",\"datePublished\":\"2013-02-06T17:00:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html\"},\"wordCount\":1380,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/mongodb-logo.jpg\",\"keywords\":[\"MongoDB\",\"NoSQL\"],\"articleSection\":[\"Enterprise Java\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html\",\"name\":\"MongoDB Authentication\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/mongodb-logo.jpg\",\"datePublished\":\"2013-02-06T17:00:44+00:00\",\"description\":\"I recently updated mongometer to make it a bit more flexible. Shortly after releasing the new version, one of the users fed back an issue via a comment on\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html#primaryimage\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/mongodb-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/mongodb-logo.jpg\",\"width\":150,\"height\":150},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2013\\\/02\\\/mongodb-authentication.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\\\/enterprise-java\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"MongoDB Authentication\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Developers Resource Center\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.javacodegeeks.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/javacodegeeks\",\"https:\\\/\\\/x.com\\\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/eb450557d0e068cddb965109b6e2f0b5\",\"name\":\"Jan Ettles\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dc8837471d4a8c8b048cbbbf3d14174acbbfd2b851150ec5f098aa2d6deae3de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dc8837471d4a8c8b048cbbbf3d14174acbbfd2b851150ec5f098aa2d6deae3de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dc8837471d4a8c8b048cbbbf3d14174acbbfd2b851150ec5f098aa2d6deae3de?s=96&d=mm&r=g\",\"caption\":\"Jan Ettles\"},\"sameAs\":[\"http:\\\/\\\/exceptionallyexceptionalexceptions.blogspot.com\\\/\"],\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/author\\\/Jan-Ettles\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MongoDB Authentication","description":"I recently updated mongometer to make it a bit more flexible. Shortly after releasing the new version, one of the users fed back an issue via a comment on","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html","og_locale":"en_US","og_type":"article","og_title":"MongoDB Authentication","og_description":"I recently updated mongometer to make it a bit more flexible. Shortly after releasing the new version, one of the users fed back an issue via a comment on","og_url":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html","og_site_name":"Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_published_time":"2013-02-06T17:00:44+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/mongodb-logo.jpg","type":"image\/jpeg"}],"author":"Jan Ettles","twitter_card":"summary_large_image","twitter_creator":"@javacodegeeks","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"Jan Ettles","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html#article","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html"},"author":{"name":"Jan Ettles","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/eb450557d0e068cddb965109b6e2f0b5"},"headline":"MongoDB Authentication","datePublished":"2013-02-06T17:00:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html"},"wordCount":1380,"commentCount":0,"publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/mongodb-logo.jpg","keywords":["MongoDB","NoSQL"],"articleSection":["Enterprise Java"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html","url":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html","name":"MongoDB Authentication","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html#primaryimage"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/mongodb-logo.jpg","datePublished":"2013-02-06T17:00:44+00:00","description":"I recently updated mongometer to make it a bit more flexible. Shortly after releasing the new version, one of the users fed back an issue via a comment on","breadcrumb":{"@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html#primaryimage","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/mongodb-logo.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/mongodb-logo.jpg","width":150,"height":150},{"@type":"BreadcrumbList","@id":"https:\/\/www.javacodegeeks.com\/2013\/02\/mongodb-authentication.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"Java","item":"https:\/\/www.javacodegeeks.com\/category\/java"},{"@type":"ListItem","position":3,"name":"Enterprise Java","item":"https:\/\/www.javacodegeeks.com\/category\/java\/enterprise-java"},{"@type":"ListItem","position":4,"name":"MongoDB Authentication"}]},{"@type":"WebSite","@id":"https:\/\/www.javacodegeeks.com\/#website","url":"https:\/\/www.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Developers Resource Center","publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/www.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/eb450557d0e068cddb965109b6e2f0b5","name":"Jan Ettles","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/dc8837471d4a8c8b048cbbbf3d14174acbbfd2b851150ec5f098aa2d6deae3de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/dc8837471d4a8c8b048cbbbf3d14174acbbfd2b851150ec5f098aa2d6deae3de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/dc8837471d4a8c8b048cbbbf3d14174acbbfd2b851150ec5f098aa2d6deae3de?s=96&d=mm&r=g","caption":"Jan Ettles"},"sameAs":["http:\/\/exceptionallyexceptionalexceptions.blogspot.com\/"],"url":"https:\/\/www.javacodegeeks.com\/author\/Jan-Ettles"}]}},"_links":{"self":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/8169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/users\/124"}],"replies":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=8169"}],"version-history":[{"count":0,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/8169\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media\/187"}],"wp:attachment":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=8169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=8169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=8169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}