Authentication (XWiki.org)

#info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace \"xwiki.authentication.ldap.\" by \"ldap_\". For example <tt>xwiki.authentication.ldap.base_DN</tt> become <tt>ldap_base_DN</tt>")

93

94

For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.

95

96

Here are some LDAP client for checking your configuration:

97

* This java client, [LDAP Browser/Editor > http://www-unix.mcs.anl.gov/~gawor/ldap/] is a handy tool for checking your configuration.

98

* [Apache Directory Studio>http://directory.apache.org/studio/]

99

100

1.1.1 Detailed use cases

101

102

See [LDAP configuration uses cases>LDAPAuthenticationUseCases] for some detailed use cases.

103

104

1.1.1 Enable LDAP debug log

105

106

See [AdminGuide.Logging]. The specific targets for LDAP authentication are:

107

{code}

108

log4j.logger.com.xpn.xwiki.plugin.ldap=debug

109

log4j.logger.com.xpn.xwiki.user.impl.LDAP=debug

{code}

1.1 eXo Authentication

114

115

The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~.

116

117

1.1 Custom Authentication

118

119

This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:

120

# Implement the [XWikiAuthService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java] interface.

121

# Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example:

122

123

{code}

124

xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService

125

{code}

126

127

Here's a [tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/].

128

129

Note, that you also can implement own right management service by implementing [XWikiRightService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java] interface:

130

{code}

131

xwiki.authentication.rightsclass = com.acme.MyCustomRightsService

132

{code}

133

134

and Group Service by implementing [XWikiGroupService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]:

135

136

{code}

137

xwiki.authentication.groupclass = com.acme.MyCustomGroupService

138

{code}

139

140

1.1.1 Custom Authentication using a Groovy script in a wiki page

141

142

Start by specifying you want to use the Groovy Authenticator:

143

144

{code}

145

xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl

146

{code}

147

148

Then add another configuration parameter to specify in which wiki page the authenticator is:

149

150

{code}

151

xwiki.authentication.groovy.pagename = MySpace.MyPage

152

{code}

153

154

Then in a wiki page put some Groovy code that returns a XWikiAuthService object.

155

156

1.1 Authentication parameters

157

158

You can set each of these parameters by setting:

159

160

{code}

161

xwiki.authentication.~~param_name~~=~~param_value~~

{code}

{table}

Name | Optional | Allowed values | Default value | Description

166

encryptionKey | No(1) | ? | n/a | Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.

167

validationKey | No(2) | ? | n/a | Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.

168

cookiedomains | Yes | String | Server host name | Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out

169

cookielife | Yes | Number | 14 | Number of days cookies take to expire

170

cookiepath | Yes | String | / | The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~

171

default_page | Yes | String | /bin/view/ Main/WebHome | Page to redirect to if xredirect parameter is not set

172

encryptionalgorithm | Yes | ? | ? | Set the Encryption Algorithm used to encrypt and decrypt cookies

173

encryptionmode | Yes | ? | ? | Set the Encryption Mode used to encrypt and decrypt cookies

174

encryptionpadding | Yes | ? | ? | Set the Encryption Padding used to encrypt and decrypt cookies

175

errorpage | Yes | String | /bin/loginerror/ XWiki/XWikiLogin | Page to redirect to if there is an error logging in

176

loginpage | Yes | String | /bin/login/ XWiki/XWikiLogin | Page to redirect to when not logged in

177

loginsubmitpage | Yes | String | /loginsubmit/ XWiki/XWikiLogin | ?

178

logoutpage | Yes | String | /bin/logout/ XWiki/XWikiLogout | Page to redirect to after logged out

179

realmname | Yes | String | XWiki | Sets the realm name

180

protection | Yes | all, validation, encryption, none | all | Protection level for the "remember me" cookie functionality

181

unauthorized_code | Yes | ? | ? | ?

182

useip | Yes | true / false | true | Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.

183

{table}

184

# Only required if protection = encryption or all (default)

185

# Only required if protection = validation or all (default)

186

187

1.1 Kerberos SSO Authentication

188

189

#warning("This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!")

190

191

The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.

192

193

First of all you need to create a principal and keytab for the webserver:

194

{code}

195

# kadmin

196

kadmin> addprinc -randkey HTTP/wiki.example.com

197

kadmin> ktadd -k /etc/apache2/ssl/wiki.keytab HTTP/wiki.example.com

kadmin> quit

{code}

Make sure the keytab has the right permissions and ownership:

202

{code}

203

chown www-data:www-data /etc/apache2/ssl/wiki.keytab

204

chmod 400 /etc/apache2/ssl/wiki.keytab

205

{code}

206

207

Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:

208

{code}

209

aptitude install libapache2-mod-auth-kerb

210

{code}

211

Of course the installation procedure varies per Linux distribution.

212

213

If your xwiki installation is mounted in Apache HTTPD under /xwiki, add the following to the virtual host configuration:

{code}

AuthType Kerberos

AuthName "Kerberos Login"

218

KrbAuthRealms EXAMPLE.COM

219

Krb5Keytab "/etc/apache2/ssl/wiki.keytab"

220

KrbMethodK5Passwd off

221

KrbMethodNegotiate on

222

KrbSaveCredentials on

require valid-user

</Location>

{code}

Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):

{code}

{code}

Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.

233

234

Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.

235

{code}

236

xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl

237

{code}

238

239

If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.

2 JBoss SPNEGO (Kerberos in combination with LDAP)

244

I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.

245

The authenication already happend by using the SPNEGO module (JAAS).

246

After that I'm using the ldap synchronisation feature to make sure that the user is up to date.

247

The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.

248

I hope you can adopt this code or that you can use it for your own projects.

249

250

The configuration of ldap;

251

{code}

252

xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl

253

xwiki.authentication.ldap=1

254

xwiki.authentication.ldap.server=<ad-server>

255

xwiki.authentication.ldap.port=389

256

xwiki.authentication.ldap.base_DN=<OU=Users,...............>

257

#use a fixed user to attach to the ldap database,

258

#the password is not provided with the SSOLdapAuthenicationImpl

259

xwiki.authentication.ldap.bind_DN=<domain>\\<user>

260

xwiki.authentication.ldap.bind_pass=<password>

261

#Microsoft AD configuration

262

xwiki.authentication.ldap.UID_attr=sAMAccountName

263

xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn

264

xwiki.authentication.ldap.group_memberfields=member,uniqueMember

265

#LDAP group mapping

266

xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\

267

XWiki.XWikiAllGroup=CN=WIKI_User,...........

{code}

The java code

{code}

package com.wiki.sso;

273

274

275

import org.apache.commons.logging.Log;

276

import org.apache.commons.logging.LogFactory;

277

278

import com.xpn.xwiki.XWikiContext;

279

import com.xpn.xwiki.XWikiException;

280

import com.xpn.xwiki.user.api.XWikiUser;

281

import com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl;

282

283

import java.security.Principal;

284

285

public class SSOLdapAuthenicationImpl extends XWikiLDAPAuthServiceImpl {

/**

* Logging tool.

*/

private static final Log LOG = LogFactory.getLog(SSOLdapAuthenicationImpl.class);

290

291

292

public XWikiUser checkAuth(XWikiContext context) throws XWikiException {

293

String user = getRemoteUser(context);

294

if ((user != null) || !user.equals("")) {

295

if (LOG.isInfoEnabled())

296

LOG.info("Launching create user for " + user);

297

if ( authenticate(user, context) != null ) {

298

if (LOG.isInfoEnabled())

299

LOG.info("Create user done for " + user);

300

user = "XWiki." + user;

301

context.setUser(user);

302

System.out.println("User is set to:" + user);

303

return new XWikiUser(user);

304

} else {

305

LOG.error( "User " + user + " can't be authenticated against ldap" );

306

}

307

}

308

return super.checkAuth(context);

}

/**

* We cannot authenticate locally since we need to trust the app server for

* authentication

*

* @param username

* @param password

* @param context

* @return

* @throws XWikiException

320

*/

321

public XWikiUser checkAuth(String username, String password,

322

String rememberme, XWikiContext context) throws XWikiException {

323

String user = getRemoteUser(context);

324

if ((user == null) || user.equals("")) {

325

return super.checkAuth(username, password, rememberme, context);

326

}

327

return checkAuth(context);

328

}

329

330

private String getRemoteUser(XWikiContext context) {

331

String userName = context.getRequest().getHttpServletRequest()

332

.getRemoteUser();

333

if (userName != null) {

334

// only take the front of the username@domain

335

String[] elements = userName.split("@", 2);

336

userName = elements[0];

}

return userName;

}

public Principal authenticate(String login, XWikiContext context) throws XWikiException

342

{

343

if (LOG.isTraceEnabled()) {

344

LOG.trace("Starting LDAP authentication");

}

/*

* TODO: Put the next 4 following "if" in common with XWikiAuthService to ensure coherence This method was

349

* returning null on failure so I preserved that behaviour, while adding the exact error messages to the context

350

* given as argument. However, the right way to do this would probably be to throw XWikiException-s.

*/

if (login == null) {

// If we can't find the username field then we are probably on the login screen

355

356

if (LOG.isDebugEnabled()) {

357

LOG.debug("The provided user is null."

358

+ " We don't try to authenticate, it probably means the user is in non logged mode.");

}

return null;

}

// Check for empty usernames

365

if (login.equals("")) {

366

context.put("message", "nousername");

367

368

if (LOG.isDebugEnabled()) {

369

LOG.debug("LDAP authentication failed: login empty");

}

return null;

}

// If we have the context then we are using direct mode

376

// then we should specify the database

377

// This is needed for virtual mode to work

378

Principal principal = null;

379

380

// Try authentication against ldap

381

principal = ldapAuthenticate(login, "", context);

382

383

if (LOG.isDebugEnabled()) {

384

if (principal != null) {

385

LOG.debug("LDAP authentication succeed with principal [" + principal.getName() + "]");

386

} else {

387

LOG.debug("LDAP authentication failed for user [" + login + "]");

}

}

return principal;

}

}

{code}

Wiki source code of Authentication

Quick Links

Navigation

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected