Changes for page User Authentication

Last modified by Thomas Mortagne on 2023/04/28
<
From version < 27.2 >
edited by Vincent Massol
on 2008/10/16
To version < 29.1 >
edited by jek
on 2009/06/28
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.VincentMassol
1 +XWiki.jek
Content
... ... @@ -143,7 +143,7 @@
143 143  1.1 Custom Authentication
144 144  
145 145  This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:
146 -# Implement the XWikiAuthService interface.
146 +# Implement the [XWikiAuthService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java] interface.
147 147  # Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example:
148 148  
149 149  {code}
... ... @@ -152,17 +152,33 @@
152 152  
153 153  Here's a [tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/].
154 154  
155 -Note, that you also can implement own right management service by implementing XWikiRightService interface:
155 +Note, that you also can implement own right management service by implementing [XWikiRightService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java] interface:
156 156  {code}
157 157  xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
158 158  {code}
159 159  
160 -and group service by implementing XWikiGroupService and setting ~~xwiki.authentication.groupclass~~ property.
160 +and Group Service by implementing [XWikiGroupService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]:
161 161  
162 +{code}
163 +xwiki.authentication.groupclass = com.acme.MyCustomGroupService
164 +{code}
162 162  
166 +1.1.1 Custom Authentication using a Groovy script in a wiki page
163 163  
168 +Start by specifying you want to use the Groovy Authenticator:
164 164  
170 +{code}
171 +xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl
172 +{code}
165 165  
174 +Then add another configuration parameter to specify in which wiki page the authenticator is:
175 +
176 +{code}
177 +xwiki.authentication.groovy.pagename = MySpace.MyPage
178 +{code}
179 +
180 +Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
181 +
166 166  1.1 Authentication parameters
167 167  
168 168  You can set each of these parameters by setting:
... ... @@ -248,3 +248,158 @@
248 248  
249 249  If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
250 250  
267 +
268 +
269 +2 JBoss SPNEGO (Kerberos in combination with LDAP)
270 +I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.
271 +The authenication already happend by using the SPNEGO module (JAAS).
272 +After that I'm using the ldap synchronisation feature to make sure that the user is up to date.
273 +The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.
274 +I hope you can adopt this code or that you can use it for your own projects.
275 +
276 +The configuration of ldap;
277 +{code}
278 +xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl
279 +xwiki.authentication.ldap=1
280 +xwiki.authentication.ldap.server=<ad-server>
281 +xwiki.authentication.ldap.port=389
282 +xwiki.authentication.ldap.base_DN=<OU=Users,...............>
283 +#use a fixed user to attach to the ldap database,
284 +#the password is not provided with the SSOLdapAuthenicationImpl
285 +xwiki.authentication.ldap.bind_DN=<domain>\\<user>
286 +xwiki.authentication.ldap.bind_pass=<password>
287 +#Microsoft AD configuration
288 +xwiki.authentication.ldap.UID_attr=sAMAccountName
289 +xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
290 +xwiki.authentication.ldap.group_memberfields=member,uniqueMember
291 +#LDAP group mapping
292 +xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\
293 + XWiki.XWikiAllGroup=CN=WIKI_User,...........
294 +
295 +{code}
296 +The java code
297 +{code}
298 +package com.wiki.sso;
299 +
300 +
301 +import org.apache.commons.logging.Log;
302 +import org.apache.commons.logging.LogFactory;
303 +
304 +import com.xpn.xwiki.XWikiContext;
305 +import com.xpn.xwiki.XWikiException;
306 +import com.xpn.xwiki.user.api.XWikiUser;
307 +import com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl;
308 +
309 +import java.security.Principal;
310 +
311 +public class SSOLdapAuthenicationImpl extends XWikiLDAPAuthServiceImpl {
312 + /**
313 + * Logging tool.
314 + */
315 + private static final Log LOG = LogFactory.getLog(SSOLdapAuthenicationImpl.class);
316 +
317 +
318 + public XWikiUser checkAuth(XWikiContext context) throws XWikiException {
319 + String user = getRemoteUser(context);
320 + if ((user != null) || !user.equals("")) {
321 + if (LOG.isInfoEnabled())
322 + LOG.info("Launching create user for " + user);
323 + if ( authenticate(user, context) != null ) {
324 + if (LOG.isInfoEnabled())
325 + LOG.info("Create user done for " + user);
326 + user = "XWiki." + user;
327 + context.setUser(user);
328 + System.out.println("User is set to:" + user);
329 + return new XWikiUser(user);
330 + } else {
331 + LOG.error( "User " + user + " can't be authenticated against ldap" );
332 + }
333 + }
334 + return super.checkAuth(context);
335 + }
336 +
337 + /**
338 + * We cannot authenticate locally since we need to trust the app server for
339 + * authentication
340 + *
341 + * @param username
342 + * @param password
343 + * @param context
344 + * @return
345 + * @throws XWikiException
346 + */
347 + public XWikiUser checkAuth(String username, String password,
348 + String rememberme, XWikiContext context) throws XWikiException {
349 + String user = getRemoteUser(context);
350 + if ((user == null) || user.equals("")) {
351 + return super.checkAuth(username, password, rememberme, context);
352 + }
353 + return checkAuth(context);
354 + }
355 +
356 + private String getRemoteUser(XWikiContext context) {
357 + String userName = context.getRequest().getHttpServletRequest()
358 + .getRemoteUser();
359 + if (userName != null) {
360 + // only take the front of the username@domain
361 + String[] elements = userName.split("@", 2);
362 + userName = elements[0];
363 + }
364 + return userName;
365 + }
366 +
367 + public Principal authenticate(String login, XWikiContext context) throws XWikiException
368 + {
369 + if (LOG.isTraceEnabled()) {
370 + LOG.trace("Starting LDAP authentication");
371 + }
372 +
373 + /*
374 + * TODO: Put the next 4 following "if" in common with XWikiAuthService to ensure coherence This method was
375 + * returning null on failure so I preserved that behaviour, while adding the exact error messages to the context
376 + * given as argument. However, the right way to do this would probably be to throw XWikiException-s.
377 + */
378 +
379 + if (login == null) {
380 + // If we can't find the username field then we are probably on the login screen
381 +
382 + if (LOG.isDebugEnabled()) {
383 + LOG.debug("The provided user is null."
384 + + " We don't try to authenticate, it probably means the user is in non logged mode.");
385 + }
386 +
387 + return null;
388 + }
389 +
390 + // Check for empty usernames
391 + if (login.equals("")) {
392 + context.put("message", "nousername");
393 +
394 + if (LOG.isDebugEnabled()) {
395 + LOG.debug("LDAP authentication failed: login empty");
396 + }
397 +
398 + return null;
399 + }
400 +
401 + // If we have the context then we are using direct mode
402 + // then we should specify the database
403 + // This is needed for virtual mode to work
404 + Principal principal = null;
405 +
406 + // Try authentication against ldap
407 + principal = ldapAuthenticate(login, "", context);
408 +
409 + if (LOG.isDebugEnabled()) {
410 + if (principal != null) {
411 + LOG.debug("LDAP authentication succeed with principal [" + principal.getName() + "]");
412 + } else {
413 + LOG.debug("LDAP authentication failed for user [" + login + "]");
414 + }
415 + }
416 +
417 + return principal;
418 + }
419 +}
420 +{code}
421 +

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected