All Nuxeo Platform documentation versions

Nuxeo Platform 5.6
Nuxeo Platform 5.5
Nuxeo Enterprise Platform (EP) 5.4
Nuxeo Enterprise Platform (EP) 5.3

Nuxeo Platform Dev version (unreleased)

This documentation refers to the unreleased development version of the Nuxeo Platform. For the current production version, refer to the 5.6 documentation.

Versions Compared

Old Version 13

changes.mady.by.user Benjamin Jalon

Saved on

compared with

New Version 14

changes.mady.by.user Solen Guitter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added links to plugins, fixed typos and added related pages

...

Section

...

Column

Nuxeo Authentication is based on the JAAS standard. Authentication infrastructure is based on

...

two main components:

  • a JAAS Login Module: NuxeoLoginModule
  • a Web Filter: NuxeoAuthenticationFilter

Users and groups are managed via the UserManagerService that handles the indirection to users and groups directories (SQL or LDAP or else).
Nuxeo authentication framework is pluggable so that you can contribute new plugin and don't have to rewrite and reconfigure a complete JAAS infrastructure.

Column
Panel
bgColor#FFFFFF
titleOn this page
Table of Contents

Pluggable JAAS Login Module

NuxeoLoginModule is a JAAS LoginModuleLogin Module. It is responsible for handling all login call calls within Nuxeo's security domains:

...

NuxeoLoginModule mainly handles 2 two tasks:

  • login user
    This means extract extracting information from the CallBack stack and validate validating identity.
    NuxeoLoginModule supports several types of CallBacks (including Nuxeo specific CallBack) and uses a plugin system to be able to validate user identity in a pluggable way.
  • Principal creation
    For that, NuxeoLoginModule uses Nuxeo UserManager service that does the indirection to the users/groups directories.

When used in conjunction with UserIdentificationInfoCallback (Nuxeo custom CallBack system), the LoginModule will choose the right LoginPlugin according to the CallBack information.

NuxeoLoginModule Plugins

Because validating User user identity can be more complex that just checking login/password, NuxeoLoginModule exposes an extension point to contribute new LoginPlugins.
Each LoginPlugin has to implement the org.nuxeo.ecm.platform.login.LoginPlugin interface.

This interface expose exposes the User Identity validation logic from the UserIdentificationInfo object populated by the Authenticator (see next chapterthe #Pluggable Web Authentication Filter section):

Code Block
String validatedUserIdentity(UserIdentificationInfo userIdent)

For instance, the default implementation will extract Login/Password from UserIdentificationInfo and call the checkUsernamePassword against the UserManager that will validate this information against the users directory.

Other plugins can use other informations carried by UserIdentificationInfo (token, ticket, ...) to validate the identity against an external SSO system. The UserIdentificationInfo also carries the LoginModule plugin name that must be used to validate identity. Even if technically, a lot of SSO system systems could be implemented using this plugin system, most SSO implementations have be moved to the Authentication Plugin at the Web Filter level, because they need a http HTTP dialog.

For now, the NuxeoLoginModule has only two way ways to handle validateUserIdentity:

  • default that uses UserManager to validate the couple login/password,
  • Trusted_LM: This this plugin assumes the user identity has already been validated by the authentication filter, so validatedUserIdentity will always return true.

Using Trusted_LM, a user will be logged if the user exists in the UserManager. This plugin is used for most SSO system systems in conjunction with a an Authentication plugin that will actually do the work of validating password or token.

...

  • guarding access to web resources. The filter can be parameterized to guard urls URLs with a given pattern;
  • finding the right plugin to get user identification information. This can be getting a userName/Password, getting a token in a cookie or a header, redirecting user to another authentication server.;
  • create creating the LoginContext. This means creating the needed callBacks and call the JAAS Login;
  • store storing and reestablish reestablishing login context. In order to avoid recreating a login context for each request, the LoginContext is cached.

NuxeoAuthenticationFilter

The NuxeoAuthenticationFilter is one of the top level filter filters in Nuxeo Web Filters stack. For each request, it will try to find a existing LoginContext and create a RequestWrapper that will carry the NuxeoPrincipal.

If no existing LoginContext is found, it will try to prompt the client for authentication information and will establish the login context.
If In order to execute the task of prompting the client and retrieving UserIndetificationInfo, the filter will rely on a set of configured plugins.

Each plugin must:

  • Implement org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin. The two main methods are:
    Code Block
    Boolean handleLoginPrompt(HttpServletRequest httpRequest,HttpServletResponse httpResponse, String baseURL);
UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest, HttpServletResponse httpResponse);
  • Define the LoginModule plugin to use if needed.
    Typically, SSO AuthenticationPlugin will do all the work and will use the Trusted_LM LoginModule Plugin.
  • Define if stating URL must be saved.
    AuthenticationPlugins, that uses HTTP redirect in order to do the login prompt, will let the Filter store the first accessed URL in order to cleanly redirect the user to the page he asked after the authentication is successful.
    Additionnaly Additionally, AuthenticationPlugin can also implement the org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPluginLogoutExtension interface if a specific processing must be done when logging out.

Here is a sample XML descriptor for registering an AuthenticationPlugin:

Code Block
xml
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.ui.web.auth.defaultConfig">
  <extension
    target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
    point="authenticators">
    <authenticationPlugin name="FORM_AUTH" enabled="true"
      class="org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator">
      <needStartingURLSaving>true</needStartingURLSaving>
      <parameters>
        <parameter name="LoginPage">login.jsp</parameter>
        <parameter name="UsernameKey">user_name</parameter>
        <parameter name="PasswordKey">user_password</parameter>
      </parameters>
    </authenticationPlugin>
   </extension>
</component>

As you can see in the above example, the descriptor contains the parameters tag that can be used to embed arbitrary additional configuration that will be specific to a given AuthenticationPlugin. In the above example, it is used to define the field names and the JSP file used for form based authentication.

NuxeoAuthenticationFilter supports several authentication system. This is, for For example, this is useful for having to have users using Form-based authentication and having RSS clients using Basic Authentication. Because of that, AuthenticationPlugin must be ordered. For that purpose, NuxeoAuthenticationFilter uses a dedicated extension point that let lets you define the AuthenticationChain.

Code Block
xml
<component name="org.nuxeo.ecm.anonymous.activation">
   <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
    <extension
      target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
      point="chain">
    <authenticationChain>
      <plugins>
        <plugin>BASIC_AUTH</plugin>
        <plugin>ANONYMOUS_AUTH</plugin>
        <plugin>FORM_AUTH</plugin>
      </plugins>
    </authenticationChain>
  </extension>
</component>

The NuxeoAuthenticationFilter will use this chain to trigger the login prompt. When authentication is needed, the Filter will first call , in a first round, the handleRetrieveIdentity method on all the plugins in the order of the authentication chain and then, in a second round, the . Then, if the authentication could not be achieved, the Filter will call the handleLoginPrompt method in the same order on all the plugins if the authentication could not be achieved in the first round. The aim is to have as much automatic authentications as possible, that. That's why all the manual authentications (those which need needing a prompt) are done in a second round.

Some authentication plugins may choose to trigger or not the LoginPrompt depending on the situation. For example: the BasicAuthentication plugin generates the login prompt (in the case of the BasicAuthentication plugin the login prompt is an HTTP basic authentication which takes the form of a popup) only for specific URLs used for by RSS feeds or restlet calls. This allows the platform to be easily called by Restlets and RSS clients without bothering browser clients who are presented with dispayed web forms to authenticate.

Built-in Authentication Plugins

NuxeoAuthenticationFilter comes with two built-in authentication plugins:

  • FORM_AUTH: Form based Authentication
    This is a standard form-based authentication. Current The current implementation let lets you configure the name of the Login and Password fields , and the name of the page used to display the login page.
  • BASIC_AUTH: Basic HTTP Authentication
    This plugin supports standard HTTP Basic Authentication. By default, this plugin only generates the authentication prompt on configured URLs.
    There are also additional components that provides provide other Authentication plugins (see below).

...

Nuxeo provides a set of other authentication plugins that are not installed by default with the standard Nuxeo EP Platform setup. These plugins can be downloaded and installed separately.

...

This plugin implements a client for CAS SSO system (Central Authentication System). It can be configured to use a CAS proxy. It has been tested and reported to work with CAS V2.
It's easy to test this plugin by installing the JA-SIG Central Authentication Service Open Source CAS server.

To install this the CAS2 authentication plugin, you need to:

...

  1. Make sure

...

  1. there is a CAS server already setup and running.

...

  1. Download the nuxeo-platform-login-cas2 plugin.

...

  1. Put it in $TOMCAT_HOME/nxserver/bundles or $JBOSS_HOME/server/default/deploy/nuxeo.ear/bundles and restart the server.

...

  1. Configure the CAS2 descriptor.

...

  1. Put CAS2 plugin into the authentication chain.

In order to configure CAS2 Auth, you need to create an XML configuration file into .../nuxeo.ear/config.
Here is a sample file named CAS2-config.xml.

Code Block
xml
<component name="org.nuxeo.ecm.platform.authenticator.cas2.sso.config">

  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
  <require>org.nuxeo.ecm.platform.login.Cas2SSO</require>

  <\!-\-   configure you CAS server parameters -->
  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
    <authenticationPlugin name="CAS2_AUTH">
      <loginModulePlugin>Trusting_LM</loginModulePlugin>
      <parameters>
        <parameter name="ticketKey">ticket</parameter>
        <parameter name="appURL">[http://127.0.0.1:8080/nuxeo/nxstartup.faces]</parameter>
        <parameter name="serviceLoginURL">[http://127.0.0.1:8080/cas/login]</parameter>
        <parameter name="serviceValidateURL">[http://127.0.0.1:8080/cas/serviceValidate]</parameter>
        <parameter name="serviceKey">service</parameter>
        <parameter name="logoutURL">[http://127.0.0.1:8080/cas/logout]</parameter>
      </parameters>
    </authenticationPlugin>
  </extension>

  <\!-\- Include CAS2 into authentication chain -->
  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
    <authenticationChain>
      <plugins>
        <plugin>BASIC_AUTH</plugin>
        <plugin>CAS2_AUTH</plugin>
      </plugins>
    </authenticationChain>
  </extension>
</component>

...

Tip

If while authenticating on the CAS server, you get the following exception in the logs

...

, it simply means that the user JOEUSER does not exist in the Nuxeo directory and does not mean that the CAS process is not working.

Code Block
ERROR \[org.nuxeo.ecm.platform.login.NuxeoLoginModule\] createIdentity failed
  javax.security.auth.login.LoginException: principal JOEUSER does not exist
    at org.nuxeo.ecm.platform.login.NuxeoLoginModule.createIdentity(NuxeoLoginModule.java:304)
    at org.nuxeo.ecm.platform.login.NuxeoLoginModule.validateUserIdentity(NuxeoLoginModule.java:362)
    at org.nuxeo.ecm.platform.login.NuxeoLoginModule.getPrincipal(NuxeoLoginModule.java:216)
    at org.nuxeo.ecm.platform.login.NuxeoLoginModule.login(NuxeoLoginModule.java:271)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doAuthenticate(NuxeoAuthenticationFilter.java:205)

...

This plugin assumes Nuxeo is behind a authenticating reverse proxy that transmit user identity using HTTP headers. For instance, you will configure this plugin if an apache Apache reverse proxy using client certificates do the authentication or for SSO system - example Central Authentication System V2.

To install this authentication plugin, you need to:

...

  1. Download the nuxeo-platform-login-mod_sso plugin.

...

  1. Put it in $TOMCAT_HOME/nxserver/bundles/ or $JBOSS_HOME/server/default/deploy/nuxeo.ear/bundles and restart the server.

...

  1. Configure the plugin via an XML descriptor.

...

  1. Put the plugin into the authentication chain.

In order to configure this plugin, you need to create an XML configuration file into .../nuxeo.ear/config.
Here is a sample file named proxy-auth-config.xml:

Code Block
xml
<component name="org.nuxeo.ecm.platform.authenticator.mod.sso.config">

  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
  <require>org.nuxeo.ecm.platform.login.Proxy</require>

  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
    <authenticationPlugin name="PROXY_AUTH">
      <loginModulePlugin>Trusting_LM</loginModulePlugin>
      <parameters>
        <\!-\- configure here the name of the http header that is used to retrieve user identity -->
        <parameter name="ssoHeaderName">remote_user</parameter>
      </parameters>
    </authenticationPlugin>
  </extension>

  <\!-\- Include Proxy Auth into authentication chain -->
  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
    <authenticationChain>
      <plugins>
        <\!-\-  Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
        <plugin>BASIC_AUTH</plugin>
        <plugin>PROXY_AUTH</plugin>
      </plugins>
    </authenticationChain>
  </extension>
</component>

...

This plugin uses JCIFS to handle NTLM authentication.

Info

This

...

plugin was partially contributed by Nuxeo

...

Platform users and has been reported to work by several users.

If you have troubles with latest version of IE on POST requests, please see JCIFS instructions on that:

Code Block
http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post

To install this authentication plugin, you need to :

...

  1. Download the nuxeo-platform-login-ntlm plugin.

...

  1. Put it in $TOMCAT_HOME/nxserver/bundles or $JBOSS_HOME/server/default/deploy/nuxeo.ear/bundles and restart the server.

...

  1. Configure the plugin via an XML descriptor.

...

  1. Put the plugin into the authentication chain.

In order to configure this plugin, you need to create an XML configuration file into .../nuxeo.ear/config.
Here is a sample file named ntlm-auth-config.xml.

Code Block
<component name="org.nuxeo.ecm.platform.authenticator.ntlm.config">

  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
  <require>org.nuxeo.ecm.platform.login.NTLM</require>

  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
    <authenticationPlugin name="NTLM_AUTH">
      <loginModulePlugin>Trusting_LM</loginModulePlugin>
      <parameters>
        <\!-\- Add here parameters for you domain, please ee [http://jcifs.samba.org/src/docs/ntlmhttpauth.html&nbsp];
        <parameter name="jcifs.http.domainController">MyControler</parameter>
        \-->
      </parameters>
    </authenticationPlugin>
  </extension>

  <\!-\- Include NTLM Auth into authentication chain -->
  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
    <authenticationChain>
      <plugins>
        <plugin>BASIC_AUTH</plugin>
        <plugin>NTLM_AUTH</plugin>
        <plugin>FORM_AUTH</plugin>
      </plugins>
    </authenticationChain>
  </extension>
</component>

...

This plugin provides a way to handle identity propagation between an external application and Nuxeo. It was coded in order to propagate user identify between a JSR168 portal and a Nuxeo server. See the Nuxeo-Http-client-library for more information.

To install this authentication plugin, you need to :

...

  1. Download the nuxeo-platform-login-portal-sso plugin.

...

  1. Put it in $TOMCAT_HOME/nxserver/bundles or $JBOSS_HOME/server/default/deploy/nuxeo.ear/bundles and restart the server.

...

  1. Configure the plugin via an XML descriptor.

...

  1. Put the plugin into the authentication chain.

In order to configure this plugin, you need to create an XML configuration file into .../nuxeo.ear/config.
Here is a sample file named portal-auth-config.xml.

Code Block
xml
<component name="org.nuxeo.ecm.platform.authenticator.portal.sso.config">

  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
  <require>org.nuxeo.ecm.platform.login.Portal</require>

  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
    <authenticationPlugin name="PORTAL_AUTH">
      <loginModulePlugin>Trusting_LM</loginModulePlugin>
      <parameters>
        <\!-\- define here shared secret between the portal and Nuxeo server -->
        <parameter name="secret">nuxeo5secretkey</parameter>
        <parameter name="maxAge">3600</parameter>
      </parameters>
    </authenticationPlugin>
  </extension>

  <\!-\- Include Portal Auth into authentication chain -->
  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
    <authenticationChain>
      <plugins>
        <\!-\-  Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
        <plugin>BASIC_AUTH</plugin>
        <plugin>PORTAL_AUTH</plugin>
        <plugin>FORM_AUTH</plugin>
      </plugins>
    </authenticationChain>
  </extension>
</component>

...

This plugin provides anonymous authentication. Users are automatically logged as a configurable Anonymous user. This modules module also includes additional actions (to be able to login when already logged as Anonymous) and a dedicated Exception handling (to automatically redirect Anonymous users to login screen after a security error).

To install this authentication plugin, you need to :

...

  1. Download the nuxeo-platform-login-anonymous plugin.

...

  1. Put it in $TOMCAT_HOME/nxserver/bundles or $JBOSS_HOME/server/default/deploy/nuxeo.ear/bundles and restart the server.

...

  1. Configure the plugin via an XML descriptor (define who the anonymous user will be).

...

  1. Put the plugin into the authentication chain.

In order to configure this plugin, you need to create an XML configuration file into .../nuxeo.ear/config.
Here is a sample file named anonymous-auth-config.xml.

Code Block
xml
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.login.anonymous.config">

<\!-\- Make sure these components are read first -->
  <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
  <require>org.nuxeo.ecm.platform.login.anonymous</require>

  <\!-\- Add an Anonymous user -->
  <extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">
    <userManager>
      <users>
        <anonymousUser id="Guest">
          <property name="firstName">Guest</property>
          <property name="lastName">User</property>
        </anonymousUser>
      </users>
    </userManager>
  </extension>

  <\!-\- Override the default authentication chain present in nuxeo-platform-ui-web to add ANONYMOUS_AUTH. \-->
  <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain">
    <authenticationChain>
      <plugins>
        <plugin>BASIC_AUTH</plugin>
        <plugin>ANONYMOUS_AUTH</plugin>
        <plugin>FORM_AUTH</plugin>
      </plugins>
    </authenticationChain>
  </extension>
</component>
Section
Content by Label
titleRelated pages
showLabelsfalse
labelsauthentication
typepage