Customizing the FIX logon process in a QuickFIX acceptor

Question

I'm using QuickFIX and C# to create a FIX acceptor (server). I want the client (the FIX initiator) to logon using a username and password. However, I'm not sure how I can do that in QuickFIX.

By debugging into the QuickFIX source code I have discovered the following sequence of events:

• QuickFIX will call Session::verify to verify the logon.
• Session::verify will perform various checks of things like comp ID's and sequence numbers and at some point determine that the logon received is valid.
• Session::verify will then call the Application::fromAdmin callback which I assume is the natural place to customize things like logon.
• However, at this point the logon has already been determined to be OK by QuickFIX and a corresponding logon message will be returned by the acceptor when the callback returns.

How do I customize the FIX logon process in an acceptor? Is modifying the QuickFIX code my only option?

Answer 1

If you are using FIX 4.3 or later, the Logon message can have a Password tag. If you are using a previous version, make it a custom tag and add it to the dictionaries.

In the fromAdmin handler, check that the password is correct (from a lookup table or elsewhere). If it is not, throw a RejectLogon exception. If this exception isn't thrown, QuickFix will assume everything is a-ok and log the user on.

Example (needs more sanity checks):

public void fromAdmin(Message message, SessionID id)
{
   var logon = message as QuickFix44.Logon;

   if (logon != null)
   {
      string userName = logon.getUserName().getValue();
      string expectedPassword = PasswordsByUser[userName];

      string suppliedPassword = logon.getPassword().getValue();

      if(expectedPassword != suppliedPassword)
          throw new RejectLogon();
   }     
}

Answer 2

fromAdmin notifies you when an administrative message is sent from a counterparty to your FIX engine. This can be usefull for doing extra validation on logon messages such as for checking passwords. Throwing a RejectLogon exception will disconnect the counterparty.

Session verification generally ckecks for the FIX Begin String, SenderCompID and target CompID. If this 3 are fine then session is set up(QuickFIXJ has other fields also for subcomp ids).

Even after Session has been set up messages wouldn't be accepted at the acceptor, for that specific session, till logon process has been completed. You will get a reject if you try so.

So in fromAdmin you can check for the incoming logon message request and check for the valid password, contained in the logon message, you expect for that connection/session.

Answer 3

Throwing a RejectLogon QuickFIXException breaks the whole code and interrupts the rest of the sessions (if you do have more than one). In my own case, I compose a logout message and have it sent back to the counterparty. Code would be something like this:

public void fromAdmin(Message message, SessionID id)
{
   var logon = message as QuickFix44.Logon;

   if (logon != null)
   {
      string userName = logon.getUserName().getValue();
      string expectedPassword = PasswordsByUser[userName];

      string suppliedPassword = logon.getPassword().getValue();

      if(expectedPassword != suppliedPassword)
          {
                Message _logoutmess = new Message();
                _logoutmess.Header.SetField(new MsgType() { Tag = 35, Obj = "5" });
                _logoutmess.SetField(new Text("Invalid credentials"));
                Session.SendToTarget(_logoutmess, id);
          }
   }     
}