Replacing functionality provided by deprecated AccessManager

The AccessManager and AccessManagerAdapter interface/implementation have been deprecated in 1.6 and replaced with various, more flexible mechanisms that can achieve the same behaviour. Follow the instructions for each method you previously implemented in your 1.4.x or 1.6.x server.


public boolean canConnect(String username);

This has no direct replacement. It was called during authentication and as such can easily be reproduced by denying authentication from your AuthenticationProvider implementations.


public boolean canConnect(SocketAddress remoteAddress, SocketAddress localAddress);

Create an extension of com.maverick.sshd.IPPolicy overriding the method. Then set an instance of this class on the SshContext using setIPPolicy.

protected boolean assertConnection(SocketAddress remoteAddress, SocketAddress localAddress) {



public boolean canOpenChannel(String sessionid, String username, Channel channel);

 There is no direct replacement for this method. Use the ChannelFactory to control what channels a user has access to.


public boolean canStartShell(String sessionid, String username);

public boolean canExecuteCommand(String sessionid, String username, String cmd);

public boolean canStartSubsystem(String sessionid, String username, String subsystem);

The methods above have been replaced by a com.maverick.sshd.ShellPolicy object. If you simply want to disable one of the session types then you can use the default ShellPolicy installed on the SshContext and call the following:

// Removes the ability to use the 'execute command' mechanism

// Removes the ability to start a shell

// Removes the ability to start a subsysystem (i.e. SFTP)


If you want complete flexibility over what commands are executed and by whom you can create an extension of ShellPolicy implementing the following method:

protected boolean assertPermission(Connection con, int perm, String... args) {

   // The parameter 'perm' represents the type of permission from ShellPolicy.SHELL, ShellPolicy.EXEC or
   // ShellPolicy.SUBSYSTEM with the parameter 'args' providing any command or subsystem values


public boolean canForward(String sessionid, String username, ForwardingChannel channel, boolean isLocal);

public boolean canListen(String sessionid, String username, String bindAddress, int bindPort);


These methods  have been replaced by a com.maverick.sshd.ForwardingPolicy object that provides greater control over the forwarding mechanism. 

By default this ForwardingPolicy allows local forwarding to any location and remote forwarding strictly from the localhost interface on the server. Gateway forwarding where the server allows other interfaces and as such other external hosts to connect to forwarding interfaces and utilise remote forwarding configurations. If you want to allow gateway forwarding you can enable this by calling the allowGatewayForwarding method


You can also restrict local forwarding from the client to specific hosts on the server network. To do this you should add one or more host rules using the methods


Once a host forwarding has been granted, only forwarding that have been explicitly granted using this method will be allowed. If you pass just a hostname then any port will be accessible. You can further refine the ports accessible by passing values in the <hostname>:<port> format. For example the following configuration only allows forwarding to the HTTP, HTTPS ports.


If you want to revoke a forwarding granted, you can call 


 To remove all forwarding options use


 public String[] getRequiredAuthentications(String sessionid, String username);

 This method has moved to the AuthenticationMechanismFactory, now taking a single parameter Connection argument. 


Have more questions? Submit a request


Please sign in to leave a comment.