Changes for page User Authentication

Last modified by Simon Urli on 2023/12/11

From version 64.2
edited by Manuel Smeria
on 2012/12/17
Change comment: Rewording, updated links
To version 64.1
edited by Thomas Mortagne
on 2012/10/18
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ManuelSmeria
1 +XWiki.ThomasMortagne
Content
... ... @@ -2,8 +2,10 @@
2 2  
3 3  {{toc/}}
4 4  
5 +The form authentication is the default mechanism.
6 +
5 5  {{info}}
6 -XWiki currently allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
8 +Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
7 7  {{/info}}
8 8  
9 9  = Form Authentication =
... ... @@ -12,7 +12,7 @@
12 12  
13 13  = Basic Authentication =
14 14  
15 -XWiki supports [[basic access authentication>>http://en.wikipedia.org/wiki/Basic_access_authentication]], a method designed to allow a web browser or other client programs to provide credentials - in the form of a user name and password - when making a request. You can get authenticated against an XWiki server with the basic authentication protocol using the following URL scheme:
17 +XWiki supports [basic access authentication>http://en.wikipedia.org/wiki/Basic_access_authentication], a method designed to allow a Web browser, or other client program, to provide credentials - in the form of a user name and password - when making a request. You can get authenticated against an XWiki server with the basic authentication protocol using the following URL scheme:
16 16  
17 17  {{code}}
18 18  http://username:[email protected]/xwiki/bin/view/Main/WebHome?basicauth=1
... ... @@ -19,15 +19,19 @@
19 19  {{/code}}
20 20  
21 21  {{warning}}
22 -Be careful that if you use the ##HTTP## protocol your password will be sent in clear over the network and is thus very unsafe. When using basic authentication you should make sure your wiki is configured to use ##HTTPS##.
24 +Be careful that if you use the ##HTTP## protocol your password will be sent in clear over the network and is thus very unsafe. When using Basic Authentication you should make sure your wiki is configured to use ##HTTPS##.
23 23  {{/warning}}
24 24  
25 25  = Social Login =
26 26  
27 -See the [[Social Login Application>>extensions:Extension.Social Login Application]].
29 +See the [[Social Login Extension>>extensions:Extension.Social Login]].
28 28  
29 29  = LDAP Authentication =
30 30  
33 +{{warning}}
34 +New LDAP implementation since XWiki Platform 1.3M2, see [[previous LDAP authentication service documentation>>AuthenticationLdapOld]]
35 +{{/warning}}
36 +
31 31  == Generic LDAP configuration ==
32 32  
33 33  In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
... ... @@ -43,7 +43,7 @@
43 43  # xwiki.authentication.ldap=1
44 44  {{/code}}
45 45  
46 -You can setup the LDAP configuration in the **xwiki.cfg** file by filling the following properties:
52 +You can setup the LDAP configuration in the //xwiki.cfg// file by filling the following properties:
47 47  
48 48  {{code language="properties"}}
49 49  #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
... ... @@ -160,25 +160,25 @@
160 160  {{/code}}
161 161  
162 162  {{info}}
163 -You can also setup the LDAP configuration in the XWiki.XWikiPreferences page by going to the object editor. Simply replace **xwiki.authentication.ldap.** with **ldap_**. For example ##xwiki.authentication.ldap.base_DN## becomes ##ldap_base_DN##.
169 +You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace "xwiki.authentication.ldap." by "ldap_". For example ##xwiki.authentication.ldap.base_DN## becomes ##ldap_base_DN##.
164 164  {{/info}}
165 165  
166 166  For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
167 167  
168 -Here are some LDAP clients for checking your configuration:
174 +Here are some LDAP client for checking your configuration:
169 169  
170 170  Java based and Open Source:
171 171  
172 172  * [[Apache Directory Studio>>http://directory.apache.org/studio/]]
173 -* [[JXplorer>>http://jxplorer.org/]]
179 +* [[JXplorer>>http://jxplorer.org]]
174 174  
175 175  Windows only:
176 176  
177 -* [[Softerra LDAP Browser>>http://www.ldapbrowser.com/info_softerra-ldap-browser.htm]]
183 +* [[Softerra LDAP Browser>>http://www.ldapbrowser.com/download.htm]]
178 178  
179 179  == Detailed use cases ==
180 180  
181 -See the [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
187 +See [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
182 182  
183 183  == Enable LDAP debug log ==
184 184  
... ... @@ -216,11 +216,11 @@
216 216  xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService
217 217  {{/code}}
218 218  
219 -You can find various [[authenticators examples>>https://github.com/xwiki-contrib/sandbox/tree/master/authenticators]].
225 +You can find various authenticators examples on [[https://github.com/xwiki-contrib/sandbox/blob/master/authenticators/]].
220 220  
221 221  Here's a [[tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/]].
222 222  
223 -Note, that you can also implement own right management service by implementing the {{scm path="xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java"}}XWikiRightService{{/scm}} interface:
229 +Note, that you also can implement own right management service by implementing {{scm path="xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java"}}XWikiRightService{{/scm}} interface:
224 224  
225 225  {{code language="properties"}}
226 226  xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
... ... @@ -246,7 +246,7 @@
246 246  xwiki.authentication.groovy.pagename = MySpace.MyPage
247 247  {{/code}}
248 248  
249 -Then put some Groovy code in a wiki page that returns a XWikiAuthService object.
255 +Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
250 250  
251 251  = Authentication parameters =
252 252  
... ... @@ -284,7 +284,7 @@
284 284  This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!
285 285  {{/warning}}
286 286  
287 -The following is an example of **mod_auth_kerb** for Apache being used to easily implement XWiki authentication of users via HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
293 +The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
288 288  
289 289  First of all you need to create a principal and keytab for the webserver:
290 290  
... ... @@ -302,7 +302,7 @@
302 302  chmod 400 /etc/apache2/ssl/wiki.keytab
303 303  {{/code}}
304 304  
305 -Install **mod_auth_kerb** in your linux installation. On Debian or Ubuntu this would be achieved by running:
311 +Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
306 306  
307 307  {{code}}
308 308  aptitude install libapache2-mod-auth-kerb
... ... @@ -325,23 +325,23 @@
325 325  </Location>
326 326  {{/code}}
327 327  
328 -Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the **server.xml** file of Apache Tomcat):
334 +Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
329 329  
330 330  {{code}}
331 331  <Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
332 332  {{/code}}
333 333  
334 -Place the **authkerb.jar** jar in the ##WEB-INF/lib## directory of XWiki in Apache Tomcat.
340 +Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
335 335  
336 -Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in the ##WEB-INF/lib/xwiki.cfg## file.
342 +Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
337 337  
338 338  {{code}}
339 339  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
340 340  {{/code}}
341 341  
342 -If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. Possible values for this property include: //https:~/~/// for all secured connections or **example.com** for all example.com subdomains.
348 +If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https:~/~/" for all secured connections or "example.com" for all example.com subdomains.
343 343  
344 -When I used JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the **XWikiLDAPAuthServiceImpl** to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in XWiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
350 +2 JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
345 345  
346 346  The configuration of ldap:
347 347  
... ... @@ -364,7 +364,7 @@
364 364   XWiki.XWikiAllGroup=CN=WIKI_User,...........
365 365  {{/code}}
366 366  
367 -The java code:
373 +The java code
368 368  
369 369  {{code}}
370 370  package com.wiki.sso;
XWiki.XWikiComments[10]
Original Selection
... ... @@ -1,1 +1,0 @@
1 -Form Authentication LDAP Authentication Generic LDAP configuration Detailed use cases Enable LDAP debug log eXo Authentication Custom Authentication Custom Authentication using a Groovy script in a wiki page Authentication parameters Kerberos SSO Authentication
Selection
... ... @@ -1,1 +1,0 @@
1 -Form Authentication Basic Authentication Social Login LDAP Authentication Generic LDAP configuration Detailed use cases Enable LDAP debug log eXo Authentication Custom Authentication Custom Authentication using a Groovy script in a wiki page Authentication parameters Kerberos SSO Authentication
State
... ... @@ -1,1 +1,0 @@
1 -UPDATED
Target
... ... @@ -1,1 +1,0 @@
1 -AdminGuide.Authentication

Get Connected