Wiki source code of Authentication

Version 16.1 by Thomas Mortagne on 2008/05/07

version	line-number	content
1.1	1	1 User Authentication
	2
1.18	3	XWiki supports several different authentication mechanisms for authenticating users:
1.1	4	#toc("" "" "")
	5
	6	The form authentication is the default mechanism.
	7
11.1	8	#info("Note that currently XWiki allows only one method of authentication to be enabled at a time which. This will probably be improved in the future.")
1.1	9
	10	1.1 Form Authentication
	11
	12	TODO
	13
	14	1.1 LDAP Authentication
6.1	15	#warning("New experimental service since XWiki Platform 1.3M2, see [previous LDAP authentication service documentation>AuthenticationLdapOld]")
1.1	16
1.2	17	1.1.1 Generic LDAP configuration
1.1	18
1.2	19	In order to enable the LDAP support you have to change the authentication method in ~~WEB-INF/xwiki.cfg~~ as follows:
	20	{code}
7.1	21	## Turn LDAP authentication on - otherwise only XWiki authentication
	22	## 0 : disable
	23	## 1 : enable
1.2	24	xwiki.authentication.ldap=1
7.1	25
	26	## set LDAP as authentication service
11.2	27	xwiki.authentication.ldap.authclass=com.xpn.xwiki.ldap.authentication.XWikiLDAPAuthServiceImpl
1.2	28	{code}
	29
2.1	30	You can setup the LDAP configuration in the ~~xwiki.cfg~~ file by filling the following properties:
1.2	31
6.1	32	{code:none}
	33	## LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
	34	xwiki.authentication.ldap.server=156.58.101.204
1.1	35	xwiki.authentication.ldap.port=389
6.1	36
	37	## LDAP login, empty = anonymous access, otherwise specify full dn
	38	## {0} is replaced with the username, {1} with the password
1.1	39	xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP
	40	xwiki.authentication.ldap.bind_pass={1}
6.1	41
12.1	42	#-# Force to check password after LDAP connection
	43	#-# 0: disable
	44	#-# 1: enable
	45	xwiki.authentication.ldap.validate_password=0
	46
6.1	47	## only members of the following group will be verified in the LDAP
	48	## otherwise only users that are found after searching starting from the base_DN
	49	xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
	50
	51	## base DN for searches
	52	xwiki.authentication.ldap.base_DN=
	53	department=USER,department=INFORMATIK,department=1230,o=MP
	54
	55	## specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn)
	56	xwiki.authentication.ldap.UID_attr=cn
	57
	58	## retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute)
	59	xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn
	60
	61	# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created.
	62	xwiki.authentication.ldap.update_user=1
	63
	64	## maps XWiki groups to LDAP groups, separator is "\|"
	65	xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=MegaNova,c=US\|\
	66	XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US
	67
	68	## time in seconds after which the list of members in a group is refreshed from LDAP (default=3600*6)
	69	xwiki.authentication.ldap.groupcache_expiration=21800
	70
	71	## - create : synchronize group membership only when the user is first created
	72	## - always: synchronize on every login
	73	xwiki.authentication.ldap.mode_group_sync=always
	74
	75	## if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials
	76	xwiki.authentication.ldap.trylocal=1
8.1	77
	78	## SSL connection to LDAP server
	79	## 0 : normal
	80	## 1 : SSL
	81	xwiki.authentication.ldap.ssl=1
	82
	83	## The keystore file to use in SSL connection
	84	xwiki.authentication.ldap.ssl.keystore=
1.1	85	{code}
3.1	86
15.1	87	#info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor")
9.1	88
1.3	89	1.1.1 LDAP Configuration for Active Directory
1.1	90
1.3	91	Here are values of the properties you need to set if your LDAP server implementation is Miscrosoft Active Directory:
	92	- ldap_server: name/IP of AD server machine
	93	- ldap_port: port ~~(e.g. 389)~~
	94	- ldap_base_DN: name of root DN ~~(e.g. dc=ad,dc=company,dc=com)~~
	95	- ldap_bind_DN: domain\{0\} ~~(e.g. ad\{0\} where \{0\} will be replaced by username during validation)~~
	96	- ldap_bind_pass: \{1\} ~~(where \{1\} will be replaced by password during validation)~~
	97	- ldap_UID_attr: sAMAccountName
	98	- ldap_fields_mapping: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
	99
1.19	100	Example:
	101	{code}
	102	xwiki.authentication.ldap=1
16.1	103	xwiki.authentication.ldap.authclass=com.xpn.xwiki.ldap.authentication.XWikiLDAPAuthServiceImpl
1.19	104	xwiki.authentication.ldap.server=adserver
	105	xwiki.authentication.ldap.port=389
	106	xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix
	107	xwiki.authentication.ldap.bind_DN=subdomain\\{0}
	108	xwiki.authentication.ldap.bind_pass={1}
	109	xwiki.authentication.ldap.UID_attr=sAMAccountName
	110	xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
	111	{code}
1.3	112
1.19	113	The bind_DN and bind_pass fields contain the username and password for binding to the LDAP server in order to search, which will not necessarily be the same credentials as the user logging in.
	114
	115
	116	The exact details of this configuration will vary based on your server configuration. It may not be necessary to prefix the username (represented by {0}) with the subdomain.
	117
	118	For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
	119
	120	This java client, [LDAP Browser/Editor > http://www-unix.mcs.anl.gov/~gawor/ldap/] is a handy tool for checking your configuration.
	121
	122
12.1	123
13.1	124
15.1	125
1.1	126	1.1 eXo Authentication
	127
	128	The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~.
	129
	130	1.1 Custom Authentication
	131
	132	This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:
	133	# Implement the XWikiAuthService interface.
	134	# Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example:
	135
	136	{code}
	137	xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService
	138	{code}
	139
4.1	140	Note, that you also can implement own right management service by implementing XWikiRightService interface:
	141	{code}
5.1	142	xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
4.1	143	{code}
	144
5.1	145	and group service by implementing XWikiGroupService and setting ~~xwiki.authentication.groupclass~~ property.
4.1	146
	147
	148
	149
5.1	150
1.14	151	1.1 Authentication parameters
	152
	153	You can set each of these parameters by setting:
	154
	155	{code}
	156	xwiki.authentication.~~param_name~~=~~param_value~~
	157	{code}
	158
	159	{table}
	160	Name \| Optional \| Allowed values \| Default value \| Description
1.15	161	encryptionKey \| No(1) \| ? \| n/a \| Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
	162	validationKey \| No(2) \| ? \| n/a \| Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
1.14	163	cookiedomains \| Yes \| String \| Server host name \| Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
	164	cookielife \| Yes \| Number \| 14 \| Number of days cookies take to expire
	165	cookiepath \| Yes \| String \| / \| The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~
1.17	166	default_page \| Yes \| String \| /bin/view/ Main/WebHome \| Page to redirect to if xredirect parameter is not set
1.15	167	encryptionalgorithm \| Yes \| ? \| ? \| Set the Encryption Algorithm used to encrypt and decrypt cookies
	168	encryptionmode \| Yes \| ? \| ? \| Set the Encryption Mode used to encrypt and decrypt cookies
	169	encryptionpadding \| Yes \| ? \| ? \| Set the Encryption Padding used to encrypt and decrypt cookies
1.17	170	errorpage \| Yes \| String \| /bin/loginerror/ XWiki/XWikiLogin \| Page to redirect to if there is an error logging in
	171	loginpage \| Yes \| String \| /bin/login/ XWiki/XWikiLogin \| Page to redirect to when not logged in
	172	loginsubmitpage \| Yes \| String \| /loginsubmit/ XWiki/XWikiLogin \| ?
	173	logoutpage \| Yes \| String \| /bin/logout/ XWiki/XWikiLogout \| Page to redirect to after logged out
15.2	174	realmname \| Yes \| String \| XWiki \| Sets the realm name
1.16	175	protection \| Yes \| all, validation, encryption, none \| all \| Protection level for the "remember me" cookie functionality
1.15	176	unauthorized_code \| Yes \| ? \| ? \| ?
1.14	177	useip \| Yes \| true / false \| true \| Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
	178	{table}
1.15	179	# Only required if protection = encryption or all (default)
	180	# Only required if protection = validation or all (default)
1.16	181
1.17	182
1.18	183
10.1	184
11.1	185

Wiki source code of Authentication

Quick Links

Navigation

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected