cogAdapter for the Trusted authentication framework that base authentication on HTTP headers
Developed by

Denis Gervalle

Active Installs2
0 Votes
LicenseGNU Lesser General Public License 2.1
Installable with the Extension Manager


Provides XWiki authentication by trusting HTTP Headers and getting information about new users from those same headers.

This authenticator has the following specific behavior:

  • getUserId(): Check and verify the secret_field http header against the secret_value, and on success returns the  value of the auth_field http header
  • getUserName(): returns the value of the id_field http header
  • getUserProperty(): returns the value of the http header having the given name
  • isUserInRole(): return true if the splitted array of the group_field http header by the group_value_separator  contains the given name

Specific configuration

#-# Define the hint of the HeadersTrustedAuthenticationAdapter to be used for providing the effective
#-# trusted authentication.

#-# Name of the header field used to check for the authentication of a user.
#-# The content of this field should not be empty to have this authenticator to proceed, and it will be put
#-# in the debugging log. But not real usage of this header value is done by the authenticator.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.auth_field=remote_user

#-# Name of the header field holding the UserID of the authenticated user.
#-# This name will be used as the unique user name. It will be transformed in lowercase, and it will be
#-# cleaned by replacing dots (.) by equal signs (=), and replacing at signs (@) by underscores (_).
#-# For example [email protected] will became john=doe_example=com.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.id_field=remote_user

#-# Name of a header field containing a shared secret value.
#-# While not mandatory, this field is hardly recommended to properly authenticate that headers has not be forged.
#-# If not set, a warning will remind you in the log, since this is really a risky situation.
# xwiki.authentication.trusted.secret_field=

#-# The shared secred that should match the content of the shared secret header field.
# xwiki.authentication.trusted.secret_value= (no default, only used when set)

#-# Name of a header field holding the list of group the user is a member of.
#-# If not configure, no group synchronization is provided.
# xwiki.authentication.trusted.group_field=

#-# A separator used to split the list of groups into group names.
#-# Default to the pipe character.
# xwiki.authentication.trusted.group_value_separator=|

Tested on

This extension has been tested with the following configurations.

Extension VersionXWiki FlavorNotes
1.0.2XWiki Enterprise 5.4.1 or later

Installation using Extension Manager require XWiki 6.1 or later

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.

Release Notes


  • Closed TRUSTAUTH-3 IsUserInRole() always return false in the header adapter


  • Closed TRUSTAUTH-1 Installing the header adapter cause a failure at XWiki startup


Dependencies for this extension (org.xwiki.contrib.authentication:xwiki-authenticator-trusted-headers 1.1):

Created by Denis Gervalle on 2016/01/18 16:08

Get Connected