XWiki Platform
  1. XWiki Platform
  2. XWIKI-2496

Specialized AppServerTrusted authenticator handling Kerberos principals

    Details

    • keywords:
      patch
    • Similar issues:
      XWIKI-7068Merge custom kerberos authenticator in main trunk
      XWIKI-3449Authenticated XWiki user name might be incorrect in XMLRPC login
      XWIKI-4057LDAP authenticator should not insert wiki name in the returned user Principal when it's the current wiki
      XWIKI-1144LDAP authentication ignores xwiki.authentication.ldap.fields_mapping when getting user principal
      XWIKI-3342Safer check on the cached authentication
      XWIKI-1079LDAP Authentication
      XWIKI-1132New App Server trusted authentication service
      XWIKI-4728Wysiwyg editor special character handling in links
      XWIKI-3328Extend XWIKI-3013 (authenticate only once per session) to basic authentication
      XWIKI-3469One authentication by session feature is broken

      Description

      I needed users within our organization to be able to login to XWiki via HTTP Negotiate. I'm sure this is a requirement for other companies as well.

      The easiest way IMHO to do this is to have Apache HTTPD do the heavy lifting with mod_auth_kerb. Implementing Java container/Realm HTTP Negotiate would be considerable more work.

      After Apache HTTPD has done the kerberos authentication one would expect to be able to simply use Xwiki's AppServerTrustedAuthServiceImpl as authentication implementation class and be done with it. However in Kerberos the user is authenticated as a principal which looks like this username@REALMNAME.TLD (for example: siepkes@EXAMPLE.COM). The @REALMNAME.TLD part makes it impossible to use AppServerTrustedAuthServiceImpl.

      I propose we include a simple class called AppServerTrustedKerberosAuthServiceImpl which chops off the @REALMNAME.TLD part of the principal. This works for me with: MIT-Kerberos, Apache 2 HTTP, mod_auth_kerb, mod_jk and Apache Tomcat 5.5.

      Theoretically this class should also work with IIS, mod_jk and Apache Tomcat 5.5, making it possible for Active Directory users to automatically login via SSO. I Haven't tested it, but for as far as I can see this shoud work.

        Activity

        Hide
        Stevo Slavic added a comment -

        Attaching updated patches to latest xwiki release (2.1.1, r26232). Issue is trivial yet more than a year old...

        Show
        Stevo Slavic added a comment - Attaching updated patches to latest xwiki release (2.1.1, r26232). Issue is trivial yet more than a year old...
        Hide
        Jerome Velociter added a comment -

        Updated patch, against to XE 2.6 and closer to XWiki developments standards

        Show
        Jerome Velociter added a comment - Updated patch, against to XE 2.6 and closer to XWiki developments standards
        Hide
        Jerome Velociter added a comment -

        Committed in 2.6, 2.7 and 3.0 branches, with modifications

        Show
        Jerome Velociter added a comment - Committed in 2.6, 2.7 and 3.0 branches, with modifications
        Hide
        Thomas Mortagne added a comment -
        Show
        Thomas Mortagne added a comment - Since this has been committed it would be good to update http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HKerberosSSOAuthentication
        Hide
        Bertrand PUJOS added a comment -

        RESTful API doesn't work with Kerberos authentication. See XWIKI-6596.

        Show
        Bertrand PUJOS added a comment - RESTful API doesn't work with Kerberos authentication. See XWIKI-6596 .

          People

          • Assignee:
            Jerome Velociter
            Reporter:
            Jasper Siepkes
          • Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: