Changes for page User Authentication

Last modified by Thomas Mortagne on 2023/10/27
<
From version < 64.1 >
edited by Thomas Mortagne
on 2012/10/18
To version < 64.2 >
edited by Manuel Smeria
on 2012/12/17
>
Change comment: Rewording, updated links

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ThomasMortagne
1 +XWiki.ManuelSmeria
Content
... ... @@ -2,10 +2,8 @@
2 2  
3 3  {{toc/}}
4 4  
5 -The form authentication is the default mechanism.
6 -
7 7  {{info}}
8 -Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
6 +XWiki currently allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
9 9  {{/info}}
10 10  
11 11  = Form Authentication =
... ... @@ -14,7 +14,7 @@
14 14  
15 15  = Basic Authentication =
16 16  
17 -XWiki supports [basic access authentication>http://en.wikipedia.org/wiki/Basic_access_authentication], a method designed to allow a Web browser, or other client program, to provide credentials - in the form of a user name and password - when making a request. You can get authenticated against an XWiki server with the basic authentication protocol using the following URL scheme:
15 +XWiki supports [[basic access authentication>>http://en.wikipedia.org/wiki/Basic_access_authentication]], a method designed to allow a web browser or other client programs to provide credentials - in the form of a user name and password - when making a request. You can get authenticated against an XWiki server with the basic authentication protocol using the following URL scheme:
18 18  
19 19  {{code}}
20 20  http://username:[email protected]/xwiki/bin/view/Main/WebHome?basicauth=1
... ... @@ -21,19 +21,15 @@
21 21  {{/code}}
22 22  
23 23  {{warning}}
24 -Be careful that if you use the ##HTTP## protocol your password will be sent in clear over the network and is thus very unsafe. When using Basic Authentication you should make sure your wiki is configured to use ##HTTPS##.
22 +Be careful that if you use the ##HTTP## protocol your password will be sent in clear over the network and is thus very unsafe. When using basic authentication you should make sure your wiki is configured to use ##HTTPS##.
25 25  {{/warning}}
26 26  
27 27  = Social Login =
28 28  
29 -See the [[Social Login Extension>>extensions:Extension.Social Login]].
27 +See the [[Social Login Application>>extensions:Extension.Social Login Application]].
30 30  
31 31  = LDAP Authentication =
32 32  
33 -{{warning}}
34 -New LDAP implementation since XWiki Platform 1.3M2, see [[previous LDAP authentication service documentation>>AuthenticationLdapOld]]
35 -{{/warning}}
36 -
37 37  == Generic LDAP configuration ==
38 38  
39 39  In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
... ... @@ -49,7 +49,7 @@
49 49  # xwiki.authentication.ldap=1
50 50  {{/code}}
51 51  
52 -You can setup the LDAP configuration in the //xwiki.cfg// file by filling the following properties:
46 +You can setup the LDAP configuration in the **xwiki.cfg** file by filling the following properties:
53 53  
54 54  {{code language="properties"}}
55 55  #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
... ... @@ -166,25 +166,25 @@
166 166  {{/code}}
167 167  
168 168  {{info}}
169 -You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace "xwiki.authentication.ldap." by "ldap_". For example ##xwiki.authentication.ldap.base_DN## becomes ##ldap_base_DN##.
163 +You can also setup the LDAP configuration in the XWiki.XWikiPreferences page by going to the object editor. Simply replace **xwiki.authentication.ldap.** with **ldap_**. For example ##xwiki.authentication.ldap.base_DN## becomes ##ldap_base_DN##.
170 170  {{/info}}
171 171  
172 172  For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
173 173  
174 -Here are some LDAP client for checking your configuration:
168 +Here are some LDAP clients for checking your configuration:
175 175  
176 176  Java based and Open Source:
177 177  
178 178  * [[Apache Directory Studio>>http://directory.apache.org/studio/]]
179 -* [[JXplorer>>http://jxplorer.org]]
173 +* [[JXplorer>>http://jxplorer.org/]]
180 180  
181 181  Windows only:
182 182  
183 -* [[Softerra LDAP Browser>>http://www.ldapbrowser.com/download.htm]]
177 +* [[Softerra LDAP Browser>>http://www.ldapbrowser.com/info_softerra-ldap-browser.htm]]
184 184  
185 185  == Detailed use cases ==
186 186  
187 -See [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
181 +See the [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
188 188  
189 189  == Enable LDAP debug log ==
190 190  
... ... @@ -222,11 +222,11 @@
222 222  xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService
223 223  {{/code}}
224 224  
225 -You can find various authenticators examples on [[https://github.com/xwiki-contrib/sandbox/blob/master/authenticators/]].
219 +You can find various [[authenticators examples>>https://github.com/xwiki-contrib/sandbox/tree/master/authenticators]].
226 226  
227 227  Here's a [[tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/]].
228 228  
229 -Note, that you also can implement own right management service by implementing {{scm path="xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java"}}XWikiRightService{{/scm}} interface:
223 +Note, that you can also implement own right management service by implementing the {{scm path="xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java"}}XWikiRightService{{/scm}} interface:
230 230  
231 231  {{code language="properties"}}
232 232  xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
... ... @@ -252,7 +252,7 @@
252 252  xwiki.authentication.groovy.pagename = MySpace.MyPage
253 253  {{/code}}
254 254  
255 -Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
249 +Then put some Groovy code in a wiki page that returns a XWikiAuthService object.
256 256  
257 257  = Authentication parameters =
258 258  
... ... @@ -290,7 +290,7 @@
290 290  This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!
291 291  {{/warning}}
292 292  
293 -The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
287 +The following is an example of **mod_auth_kerb** for Apache being used to easily implement XWiki authentication of users via HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
294 294  
295 295  First of all you need to create a principal and keytab for the webserver:
296 296  
... ... @@ -308,7 +308,7 @@
308 308  chmod 400 /etc/apache2/ssl/wiki.keytab
309 309  {{/code}}
310 310  
311 -Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
305 +Install **mod_auth_kerb** in your linux installation. On Debian or Ubuntu this would be achieved by running:
312 312  
313 313  {{code}}
314 314  aptitude install libapache2-mod-auth-kerb
... ... @@ -331,23 +331,23 @@
331 331  </Location>
332 332  {{/code}}
333 333  
334 -Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
328 +Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the **server.xml** file of Apache Tomcat):
335 335  
336 336  {{code}}
337 337  <Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
338 338  {{/code}}
339 339  
340 -Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
334 +Place the **authkerb.jar** jar in the ##WEB-INF/lib## directory of XWiki in Apache Tomcat.
341 341  
342 -Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
336 +Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in the ##WEB-INF/lib/xwiki.cfg## file.
343 343  
344 344  {{code}}
345 345  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
346 346  {{/code}}
347 347  
348 -If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https:~/~/" for all secured connections or "example.com" for all example.com subdomains.
342 +If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. Possible values for this property include: //https:~/~/// for all secured connections or **example.com** for all example.com subdomains.
349 349  
350 -2 JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
344 +When I used JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the **XWikiLDAPAuthServiceImpl** to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in XWiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
351 351  
352 352  The configuration of ldap:
353 353  
... ... @@ -370,7 +370,7 @@
370 370   XWiki.XWikiAllGroup=CN=WIKI_User,...........
371 371  {{/code}}
372 372  
373 -The java code
367 +The java code:
374 374  
375 375  {{code}}
376 376  package com.wiki.sso;
XWiki.XWikiComments[10]
Original Selection
... ... @@ -1,0 +1,1 @@
1 +Form Authentication LDAP Authentication Generic LDAP configuration Detailed use cases Enable LDAP debug log eXo Authentication Custom Authentication Custom Authentication using a Groovy script in a wiki page Authentication parameters Kerberos SSO Authentication
Selection
... ... @@ -1,0 +1,1 @@
1 +Form Authentication Basic Authentication Social Login LDAP Authentication Generic LDAP configuration Detailed use cases Enable LDAP debug log eXo Authentication Custom Authentication Custom Authentication using a Groovy script in a wiki page Authentication parameters Kerberos SSO Authentication
State
... ... @@ -1,0 +1,1 @@
1 +UPDATED
Target
... ... @@ -1,0 +1,1 @@
1 +AdminGuide.Authentication

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected