XWiki – User Authentication with Oracle SSO

XWiki is a popular Java-based wiki software offering a good variety of features and plugins. It is pretty advanced, therefore ideal for any enterprise requiring a content management tool which is flexible, professional and free :-)

Installation and configuration come in different flavors, starting with the standalone distribution (Jetty container on HSQLDB db), by far the easiest option. Alternatively the XWiki WAR file can be deployed on any servlet container and any database of your choice (Oracle 10.1.2 RDBMS and OC4J 10.1.3 in my case).

Installation on Oracle infrastructure

Create a new XWIKI database schema with all privileges.

Edit the XWiki WAR file (hibernate.cfg.xml) to point the datasource to the newly created schema. Deploy the WAR file itself (or package the WAR in an EAR file).

Restart the OC4J (the database objects will be created/populated when xwiki is first invoked).

Optional: import the default XWiki XAR file to populate the wiki with an initial set of pages

User Authentication

XWiki has its default built-in authentication module, or it can be configured to use an LDAP server.

However if you need to use an existing authentication mechanism (Oracle SSO or any other) you will have to plugin a Custom Authentication handler.

Implement the handler

First of all you need to implement the com.xpn.xwikiuser.api.XWikiAuthService interface. One easy way to accomplish that is to extend the existing XWiki implementation (com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl) as shown below:

   public class SSOAuthServiceImpl extends XWikiAuthServiceImpl {
    ....

Next step is to override the method which performs the authentication:

    @Override
    public XWikiUser checkAuth(XWikiContext context) throws XWikiException {
    ....

Your implementation of the checkAuth() method must contain the authentication logic and return an instance of the XWikiUser class:

        String user = context.getRequest().getRemoteUser();
        if(user == null) {
           log.error("User cannot be authenticated");
           return super.checkAuth(context);
        } else {
           return new XWikiUser("XWiki." + user);
        }

Create the users

Oracle SSO relies on Oracle Internet Directory (LDAP) to store the user information, however XWiki has its own repository. If you don’t want to register manually each user into XWiki then you can create those programatically (maybe during logon):

    context.getWiki().createEmptyUser("beppe", "edit", context);

Source

See my implementation (ssoauthserviceimpl.java) as an example, hope it helps.

This entry was posted on Wednesday, October 15th, 2008 at 10:56 pm and is filed under Java, Open Source, SSO. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “XWiki – User Authentication with Oracle SSO”

  1. Alberto Says:
    November 28, 2008 at 1:49 pm | Reply

    Ti ringrazio moltissimo, ora cercherò di trovare il bandolo della matassa. Ti lascio la mia email (con ovvie modifiche antispam): norad_KiOcCiOlA_emailNoSpAm_it, magari ci possiamo sentire in msn o altro IM per questa questione, se non ti crea troppo disturbo ovviamente; mi pare che entrambi lavoriamo su infrastrutture simili!! Ancora grazie e buon lavoro.

  2. Beppe Says:
    November 26, 2008 at 11:59 pm | Reply

    Ciao Alberto
    io ho risolto il problema usando un approccio simile all’ext environment di Liferay.
    Ho creato un progetto xwiki-ext che contiene solo il codice delle mie extensions. Nel build.xml (uso ant) oltre creare il jar file (xwiki-ext.jar) lo copio nella directory WEB-INF/lib del source originale di xwiki (che puoi prendere con SVN).
    Poi ho creato un progetto xwiki-ear che impacca il tutto (source originale di xwiki + il mio jar file) in un file EAR che poi va a finire nell’OC4J.

    In futuro quando devo aggiornare la versione rimpiazzo il sorgente di Xwiki e rigenero xwiki-ext e ear file.

    La libreria Sapienza… ops, me la sono dimenticata.. e’ solo un redirect alla pagina di login.

  3. Alberto Says:
    November 26, 2008 at 2:56 pm | Reply

    Caro Beppe, mi trovo anche io ad avere l’esigenza di integrare xwiki con l’SSO di Oracle. Ho sempre cercato di evitare di modificare il progetto xwiki anche per facilitare eventuali aggiornamenti a versioni successive, dunque ho usato il WAR preconfezionato, versione 1.5. Come mi consiglieresti di procedere? Devo importare il progetto xwiki dal loro SVN in eclipse, andare ad aggiungere la classe, compilarla e inserirle il .class nel xwiki-core.jar? Sto provando ma non sembra così semplice. Ho letto la classe che hai scritto e c’è un riferimento ad una libreria (sapienza) che ovviamente non ho, ma che funzione ha? Grazie davvero e scusa per le tante domande… spero di venirne a capo.

  4. Beppe Says:
    November 7, 2008 at 10:54 am | Reply

    Hi Peter
    I only perform user authentication with SSO whilst still relying on XWiki for managing groups and users permissions (authorisation). The admin dashboard is pretty good, and I can benefit of the granular security scheme (i.e. overriding default group rights for a given user).

    In xwiki.cfg you can map LDAP groups to XWiki groups.. so I guess you could manage the groups in LDAP, then export (sync) those to the wiki. However I’m not sure if/how you can assign privileges to groups and to single users.

    Sorry, not very helpful :-(

  5. Peter Moran Says:
    November 5, 2008 at 7:33 am | Reply

    Hi,

    Can I ask how are you handling XWiki authz? Do you maintaining groups and rights in XWiki and assign users after they are created. I am investigating ways of performing SSO as per your auth service, but I would also like to maintain user’s permissions in an external LDAP. Seems to me like I may have to implement the LDAP group synchronisation in a similar fashion to XWikiLDAPAuthServiceImpl. Any thoughts welcome.

  6. gcatanese Says:
    October 17, 2008 at 3:00 pm | Reply

    Hello, thanks for the feedback.

    Yes, the impl is indeed similar to the XWiki Trusted Application Server, I got the inspiration from that.
    I just wanted to show how to get the SSO credential (getRemoteUser) as well as providing additional notes for people who want to do the same thing,

    One thing missing in the source I posted is the redirect to the login screen: if getRemoteUser() returns null (identify cannot be authenticated) then the user should be redirected to the Login Screen instead of showing the default “Access denied” page in XWiki (unless anonymous access is provided I guess).

    BTW great tool! :-)

  7. Ludovic Dubost Says:
    October 17, 2008 at 10:42 am | Reply

    Hi,

    Your auth looks quite similar to

    http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/AppServerTrustedAuthServiceImpl.java

    But it would be great if we can reintegrate it with all others auths we start to have

  8. Vincent Massol Says:
    October 16, 2008 at 9:40 pm | Reply

    Very cool, thanks. I’ve linked your article from http://www.xwiki.org/xwiki/bin/view/Main/ExternalLinks

Leave a Reply