Headers Trusted Authentication Adapter

Last modified by Admin on 2024/02/05 00:22

cogAdapter for the Trusted authentication framework that base authentication on HTTP headers
Developed by

Denis Gervalle

Active Installs18
0 Votes
LicenseGNU Lesser General Public License 2.1

Installable with the Extension Manager


Provides XWiki authentication by trusting HTTP Headers and getting information about new users from those same headers.

This authenticator has the following specific behavior:

  • getUserId(): Check and verify the secret_field HTTP header against the secret_value, and on success returns the  value of the auth_field http header
  • getUserName(): returns the value of the id_field HTTP header
  • getUserProperty(): returns the value of the HTTP header having the given name
  • isUserInRole(): return true if the group_field HTTP header contains the given role (using group_value_separator as a separator)
  • getUserRoles(): return all the roles in the group_field HTTP header
  • getLogoutUrl(location): if a logout URL is configured, provide it during a logout triggered from XWiki as the redirection page, so that the logout is propagated to the SSO provider. A placeholder __REDIRECT__ in the url is replaced by the location provided to this method.

Specific configuration

#-# Replace the default XWikiAuthService authentication
# See https://extensions.xwiki.org/xwiki/bin/view/Extension/Trusted%20authentication%20framework

#-# Define the hint of the HeadersTrustedAuthenticationAdapter to be used for providing the effective
#-# trusted authentication.

#-# Name of the header field used to check for the authentication of a user.
#-# The content of this field should not be empty to have this authenticator to proceed, and it will be put
#-# in the debugging log. But not real usage of this header value is done by the authenticator.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.auth_field=remote_user

#-# Name of the header field holding the UserID of the authenticated user.
#-# This name will be used as the unique user name. It will be transformed in lowercase, and it will be
#-# cleaned by replacing dots (.) by equal signs (=), and replacing at signs (@) by underscores (_).
#-# For example John.Doe@example.com will became john=doe_example=com.
#-# The default is to use the REMOTE_USER header.
# xwiki.authentication.trusted.id_field=remote_user

#-# Name of a header field containing a shared secret value.
#-# While not mandatory, this field is strongly recommended to properly authenticate that headers has not be forged.
#-# If not set, a warning will remind you in the log, since this is really a risky situation.
# xwiki.authentication.trusted.secret_field=

#-# The shared secred that should match the content of the shared secret header field.
# xwiki.authentication.trusted.secret_value= (no default, only used when set)

#-# Since 1.6.2, comma-separate list of the header fields holding the list of group the user is a member of.
#-# Before 1.6.2, only one header field is supported.
#-# If the property is not configured, no group synchronization is provided.
# xwiki.authentication.trusted.group_field=

#-# A separator used to split the list of groups into group names. This parameter should be expressed as regular expression.
#-# Default to the pipe character.
# xwiki.authentication.trusted.group_value_separator=\\|

#-# URL to the logout page of the external system that provide the authentication. This URL is used to propagate
#-# the usage of the logout feature in XWiki to the external system. XWiki may provide a redirect back location
#-# for the external system. It will be inserted as a replacement of the __REDIRECT__ placeholder if available
#-# in the configured URL.
#-# Default to null, so logout is not propagated, which prevent logout to work from XWiki.
# xwiki.authentication.trusted.logout_url=http://sso.example.com/logout/page?redirect=__REDIRECT__
#-# According to RFC2616, HTTP headers are following the RFC822 header syntax use US-ASCII by default.
#-# The following configuration allow overriding this with any charset available to the JVM.
#-# For example, uncomment the following line to use UTF-8.
#-# When using this configuration, make sure the other parties support this.
# xwiki.authentication.trusted.header_encoding=UTF-8

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.

Release Notes

















Dependencies for this extension (org.xwiki.contrib.authentication:xwiki-authenticator-trusted-headers 1.8.3):


Get Connected