Headers Trusted Authentication Adapter
Last modified by Admin on 2024/10/09 00:19
Adapter for the Trusted authentication framework that bases authentication on HTTP headers |
Type | JAR |
Category | |
Developed by | |
Active Installs | 14 |
Rating | |
License | GNU Lesser General Public License 2.1 |
Table of contents
Description
Provides XWiki authentication by trusting HTTP Headers and getting information about new users from those same headers.
This authenticator has the following specific behavior:
- getUserId(): Check and verify the secret_field HTTP header against the secret_value, and on success returns the value of the auth_field http header
- getUserName(): returns the value of the id_field HTTP header
- getUserProperty(): returns the value of the HTTP header having the given name
- isUserInRole(): return true if the group_field HTTP header contains the given role (using group_value_separator as a separator)
- getUserRoles(): return all the roles in the group_field HTTP header
- getLogoutUrl(location): if a logout URL is configured, provide it during a logout triggered from XWiki as the redirection page, so that the logout is propagated to the SSO provider. A placeholder __REDIRECT__ in the url is replaced by the location provided to this method.
Specific configuration
#-# Replace the default XWikiAuthService authentication
# See https://extensions.xwiki.org/xwiki/bin/view/Extension/Trusted%20authentication%20framework
xwiki.authentication.authclass=org.xwiki.contrib.authentication.XWikiTrustedAuthenticator
#-# Define the hint of the HeadersTrustedAuthenticationAdapter to be used for providing the effective
#-# trusted authentication.
xwiki.authentication.trusted.adapterHint=headers
#-# Name of the header field used to check for the authentication of a user.
#-# The content of this field should not be empty to have this authenticator to proceed, and it will be put
#-# in the debugging log. But not real usage of this header value is done by the authenticator.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.auth_field=remote_user
#-# Name of the header field holding the UserID of the authenticated user.
#-# This name will be used as the unique user name. It will be transformed in lowercase, and it will be
#-# cleaned by replacing dots (.) by equal signs (=), and replacing at signs (@) by underscores (_).
#-# For example John.Doe@example.com will became john=doe_example=com.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.id_field=remote_user
#-# Name of a header field containing a shared secret value.
#-# While not mandatory, this field is strongly recommended to properly authenticate that headers has not be forged.
#-# If not set, a warning will remind you in the log, since this is really a risky situation.
# xwiki.authentication.trusted.secret_field=
#-# The shared secred that should match the content of the shared secret header field.
# xwiki.authentication.trusted.secret_value= (no default, only used when set)
#-# Since 1.6.2, comma-separate list of the header fields holding the list of group the user is a member of.
#-# Before 1.6.2, only one header field is supported.
#-# If the property is not configured, no group synchronization is provided.
# xwiki.authentication.trusted.group_field=
#-# A separator used to split the list of groups into group names. This parameter should be expressed as regular expression.
#-# Default to the pipe character.
# xwiki.authentication.trusted.group_value_separator=\\|
#-# URL to the logout page of the external system that provide the authentication. This URL is used to propagate
#-# the usage of the logout feature in XWiki to the external system. XWiki may provide a redirect back location
#-# for the external system. It will be inserted as a replacement of the __REDIRECT__ placeholder if available
#-# in the configured URL.
#-# Default to null, so logout is not propagated, which prevent logout to work from XWiki.
# xwiki.authentication.trusted.logout_url=http://sso.example.com/logout/page?redirect=__REDIRECT__
#-# According to RFC2616, HTTP headers are following the RFC822 header syntax use US-ASCII by default.
#-# The following configuration allow overriding this with any charset available to the JVM.
#-# For example, uncomment the following line to use UTF-8.
#-# When using this configuration, make sure the other parties support this.
# xwiki.authentication.trusted.header_encoding=UTF-8
# See https://extensions.xwiki.org/xwiki/bin/view/Extension/Trusted%20authentication%20framework
xwiki.authentication.authclass=org.xwiki.contrib.authentication.XWikiTrustedAuthenticator
#-# Define the hint of the HeadersTrustedAuthenticationAdapter to be used for providing the effective
#-# trusted authentication.
xwiki.authentication.trusted.adapterHint=headers
#-# Name of the header field used to check for the authentication of a user.
#-# The content of this field should not be empty to have this authenticator to proceed, and it will be put
#-# in the debugging log. But not real usage of this header value is done by the authenticator.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.auth_field=remote_user
#-# Name of the header field holding the UserID of the authenticated user.
#-# This name will be used as the unique user name. It will be transformed in lowercase, and it will be
#-# cleaned by replacing dots (.) by equal signs (=), and replacing at signs (@) by underscores (_).
#-# For example John.Doe@example.com will became john=doe_example=com.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.id_field=remote_user
#-# Name of a header field containing a shared secret value.
#-# While not mandatory, this field is strongly recommended to properly authenticate that headers has not be forged.
#-# If not set, a warning will remind you in the log, since this is really a risky situation.
# xwiki.authentication.trusted.secret_field=
#-# The shared secred that should match the content of the shared secret header field.
# xwiki.authentication.trusted.secret_value= (no default, only used when set)
#-# Since 1.6.2, comma-separate list of the header fields holding the list of group the user is a member of.
#-# Before 1.6.2, only one header field is supported.
#-# If the property is not configured, no group synchronization is provided.
# xwiki.authentication.trusted.group_field=
#-# A separator used to split the list of groups into group names. This parameter should be expressed as regular expression.
#-# Default to the pipe character.
# xwiki.authentication.trusted.group_value_separator=\\|
#-# URL to the logout page of the external system that provide the authentication. This URL is used to propagate
#-# the usage of the logout feature in XWiki to the external system. XWiki may provide a redirect back location
#-# for the external system. It will be inserted as a replacement of the __REDIRECT__ placeholder if available
#-# in the configured URL.
#-# Default to null, so logout is not propagated, which prevent logout to work from XWiki.
# xwiki.authentication.trusted.logout_url=http://sso.example.com/logout/page?redirect=__REDIRECT__
#-# According to RFC2616, HTTP headers are following the RFC822 header syntax use US-ASCII by default.
#-# The following configuration allow overriding this with any charset available to the JVM.
#-# For example, uncomment the following line to use UTF-8.
#-# When using this configuration, make sure the other parties support this.
# xwiki.authentication.trusted.header_encoding=UTF-8
Release notes
See Trusted authentication framework.
Prerequisites & Installation Instructions
We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).
You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.
- copy this xwiki-authenticator-trusted-headers jar file into WEB_INF/lib/ (or install with EM for XWiki >6.1)
- also install the required dependency: Trusted authentication framework
- setup xwiki.cfg according to the above explanation and the Trusted authentication framework ones
Dependencies
Dependencies for this extension (org.xwiki.contrib.authentication:xwiki-authenticator-trusted-headers 1.9.1):
- org.xwiki.platform:xwiki-platform-oldcore 13.10
- org.xwiki.contrib.authentication:xwiki-authenticator-trusted-api 1.9.1