Trusted authentication framework

Last modified by Denis Gervalle on 2017/10/16 00:10

cogA generic XWiki authentication service based on pluggable adapters to provide trusted authentication from external sources
TypeJAR
Developed by

Denis Gervalle

Active Installs9
Rating
Rate!
0 Votes
LicenseGNU Lesser General Public License 2.1
Installable with the Extension Manager

Description

A generic XWiki authentication service based on pluggable adapters to provide trusted authentication from external sources.

Report any bug or suggest new feature in JIRA TRUSTAUTH project

This extension bridge the old XWikiAuthService with the new component architecture of XWiki. It is oriented to ease the development of trusted authenticators by using configurable adapter components, that bridge the effective trusted authentication with a generic authenticator. Out of the box, you get user creation, configurable user properties synchronization and group membership synchronization.

Some default adapters will be provided over time, actually starting with a reimplementation of the headers authenticator.

Trusted authenticator API

The general behavior of the trusted authentication is:

  • If persistent store is trusted and not null, return the already authenticated user
  • getUserId() from the adapter:
    • if user is null, return with public access
    • else compute the user profile reference from getUserName(), replacing . by = and @ by _
    • if user is found in persistence store, return that authenticated user
    • else, check user for existance:
      • if the user exists, synchronize user properties and group membership
      • else create user and synchronize group membership
      • stores the authenticated user to persistence store and returns it

Currently, it is mandatory that getUserId() and getUserName() returns the exact same value. In a future version it is expected that only getUserId() should be unique, and getUserName() a more meaningful value that may have duplicates, without causing confusions.

General configuration

xwiki.cfg file

#-# Replace the default XWikiAuthService authentication
xwiki.authentication.authclass=org.xwiki.contrib.authentication.XWikiTrustedAuthenticator

#-# Define the hint of the TrustedAuthenticationAdapter that should be used for providing the effective
#-# trusted authentication. This parameter is mandatory.
#-# Here is an example for the HeadersTrustedAuthenticationAdapter:
xwiki.authentication.trusted.adapterHint=headers

#-# Define the hint of the AuthenticationPersistenceStore that will be used to persist authentication between
#-# requests. The default is to use the SessionAuthenticationPersistenceStore, which will store authentication
#-# information into the Servlet container session.
#-# Another option is to use the CookieAuthenticationPersistenceStore (hint: cookie), that will store the
#-# information into an encrypted cookie. The cookie prefix, domain, path and encryption is customizable using the
#-# same configuration as the standard authentication services (xwiki.authentication.cookieprefix,
#-# xwiki.authentication.cookiepath, xwiki.authentication.cookiedomains and xwiki.authentication.encryptionKey)
# xwiki.authentication.trusted.persistenceStoreHint=session

#-# By default the persistence store is not trusted, but only used to optimize the synchronization process.
#-# If the authentication process is time consuming, you may improve performance by trusting the authentication
#-# provided by the persistence store without requesting the external authentication, simply uncomment:
# xwiki.authentication.trusted.isPersistenceStoreTrusted=true

#-# Only used with the Cookie persistence store, allow setting the cookie Time To Live in seconde to keep
#-# persistence between browser restart. The default is to use a session cookie.
#-# Here is an example using a 1 day TTL, which means the persistence is kept for 1 day after last response.
#-# Combine with the above parameter, this could also keep the authentication for a longer period than
#-# the one of the external authenticator, but this is obviously less secure.
# xwiki.authentication.trusted.persistenceStoreTTL=84600

#-# By default, on failure to find an authenticated user, the authentication fallback (to a custom fallback or
#-# the default XWiki authentication). To prevent fallbacking, and return public access on failure to find an
#-# authenticated user, simply uncomment:
# xwiki.authentication.trusted.isAuthoritative=true

#-# Only applicable if the previous parameter is true, this allow defining the classname of the
#-# XWikiAuthService to fallback to. By the fault, the authenticator fallback to the default XWikiAuthService
#-# implementation, and you should not uncomment the following with targetting another service, since it will
#-# just have a negative performance impact.
# xwiki.authentication.trusted.fallbackAuthenticator=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl

#-# Define the letter case transformation that needs to be applied on username provided by the adapter
#-# to create the name of the user profile page. This letter case transformation is done first, before the
#-# replacements defined in the next parameter. The default is to lowercase the username.
#-# Possible transformation are: lowercase (default), uppercase, titlecase, none
# xwiki.authentication.trusted.userProfileCase=none

#-# Define characters or substring replacements to be applied on the username provided by the adapter after
#-# the above case transformation, to create the name of the user profile page. Replacement are of the form
#-# find=replace and separated by pipes. The default is to not make any replacement
#-# Before the introduction of this parameter, the default was different, you can reactivate it by uncommenting:
# xwiki.authentication.trusted.userProfileReplacements=.==|@=_

#-# Mapping between XWiki group name and external authentication role name.
#-# Mapping are separated with the pipe character, and the same XWiki group can be mapped multiple times to
#-# different external roles.
# xwiki.authentication.trusted.groupsMapping=XWiki.XWikiGroupA=groupA|XWiki.XWikiGroupB=groupB|XWiki.XWikiGroupA=groupAbis

#-# Mapping between XWiki users property name and external user property names.
# xwiki.authentication.trusted.propertiesMapping=email=mail|first_name=givenname|last_name=sn

XWikiPreferences

While not recommended, it's also possible to put any of theses configuration in the XWiki.XWikiPreferences object in the XWiki.XWikiPreferences page of the main wiki. Add a string field with the proper name to the class and put the value you want.

The fields names are not exactly the same, you have to change xwiki.authentication.trusted. prefix to trustedauth_:

xwiki.authentication.trusted.adapterHint -> trustedauth_adapterHint
...

For performance reason, most parameters are cached at startup, so changing those parameters in the preferences is not sufficient, you also need to restart XWiki for them to be taken into account.

Troubleshoot

Debug log

<!-- Authentication debugging -->
<logger name="org.xwiki.contrib.authentication" level="trace"/>

See Logging in the Admnistration Guide for general information about logging in XWiki.

Tested on

This extension has been tested with the following configurations.

Extension VersionXWiki FlavorNotes
1.0.2XWiki Enterprise 5.4.1 or later

Installation using Extension Manager require XWiki 6.1 or later

1.1XWiki Enterprise 5.4.1 or later

Installation using Extension Manager require XWiki 6.1 or later

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.

  • copy this xwiki-authenticator-trusted-api jar file into WEB_INF/lib/ (or install with EM for XWiki >6.1)
  • provide an authentication adapter component (or install one from another module in this repository)
  • setup xwiki.cfg

Release Notes

v1.1

  • Closed TRUSTAUTH-2 Allow customizing the cleanup made on username to choose user profile document name

Fixes applied to adapters (if any):

  • Closed TRUSTAUTH-3 IsUserInRole() always return false in the header adapter

v1.0.2

    Fixes applied to adapters (if any):

    • Closed TRUSTAUTH-1 Installing the header adapter cause a failure at XWiki startup

    Dependencies

    Dependencies for this extension (org.xwiki.contrib.authentication:xwiki-authenticator-trusted-api 1.1):

    • org.xwiki.platform:xwiki-platform-oldcore 5.4.1
    Tags:
    Created by Denis Gervalle on 2016/01/18 15:54
        

    Get Connected