cogAdapter for the Trusted authentication framework that base authentication on HTTP headers
Developed by

Denis Gervalle

Active Installs38
0 Votes
LicenseGNU Lesser General Public License 2.1

Installable with the Extension Manager


Provides XWiki authentication by trusting HTTP Headers and getting information about new users from those same headers.

This authenticator has the following specific behavior:

  • getUserId(): Check and verify the secret_field http header against the secret_value, and on success returns the  value of the auth_field http header
  • getUserName(): returns the value of the id_field http header
  • getUserProperty(): returns the value of the http header having the given name
  • isUserInRole(): return true if the splitted array of the group_field http header by the group_value_separator  contains the given name
  • getLogoutUrl(location): if a logout URL is configured, provide it during a logout triggered from XWiki as the redirection page, so that the logout is propagated to the SSO provider. A placeholder __REDIRECT__ in the url is replace by the location provided to this method.

Specific configuration

#-# Define the hint of the HeadersTrustedAuthenticationAdapter to be used for providing the effective
#-# trusted authentication.

#-# Name of the header field used to check for the authentication of a user.
#-# The content of this field should not be empty to have this authenticator to proceed, and it will be put
#-# in the debugging log. But not real usage of this header value is done by the authenticator.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.auth_field=remote_user

#-# Name of the header field holding the UserID of the authenticated user.
#-# This name will be used as the unique user name. It will be transformed in lowercase, and it will be
#-# cleaned by replacing dots (.) by equal signs (=), and replacing at signs (@) by underscores (_).
#-# For example will became john=doe_example=com.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.id_field=remote_user

#-# Name of a header field containing a shared secret value.
#-# While not mandatory, this field is hardly recommended to properly authenticate that headers has not be forged.
#-# If not set, a warning will remind you in the log, since this is really a risky situation.
# xwiki.authentication.trusted.secret_field=

#-# The shared secred that should match the content of the shared secret header field.
# xwiki.authentication.trusted.secret_value= (no default, only used when set)

#-# Name of a header field holding the list of group the user is a member of.
#-# If not configure, no group synchronization is provided.
# xwiki.authentication.trusted.group_field=

#-# A separator used to split the list of groups into group names. This parameter should be expressed as regular expression.
#-# Default to the pipe character.
# xwiki.authentication.trusted.group_value_separator=\\|

#-# URL to the logout page of the external system that provide the authentication. This URL is used to propagate
#-# the usage of the logout feature in XWiki to the external system. XWiki may provide a redirect back location
#-# for the external system. It will be inserted as a replacement of the __REDIRECT__ placeholder if available
#-# in the configured URL.
#-# Default to null, so logout is not propagated, which prevent logout to work from XWiki.
# xwiki.authentication.trusted.logout_url=

#-# According to RFC2616, HTTP Headers are following RFC822 header syntaxt and does not support natively any
#-# character encoding, making US-ASCII prevails. Some advanced usage is still possible by convention between
#-# the parties. The following configuration allow supporting headers encoded in any Charset available to the
#-# JVM. For example, uncomment the following line to support UTF-8 encoded headers:
# xwiki.authentication.trusted.header_encoding=UTF-8

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.

Release Notes







Dependencies for this extension (org.xwiki.contrib.authentication:xwiki-authenticator-trusted-headers 1.3.2):


Get Connected