Table of Contents
In Nuxeo EP, the concept of a user is needed for two main reasons:
Users are needed for authentication and authorization to work,
Users have associated information that can be displayed, for instance to display someone's full name or email address.
An abstraction, the
UserManager, centralizes the
way a Nuxeo EP application deals with users (and groups of users). The
UserManager is queried by the platform's
LoginModule when someone
attemps to authenticate against the framework. It is also queried whenever
someone wants the last name or email of a user for instance, or to get all
users having "Bob" as their first name.
The data about users (login, password, name, personal information, etc.) and the groups they belong to (simple members, or any application-related group) are managed through the Directory abstraction. This means that users can be stored in LDAP or in SQL, and groups can be part of the LDAP tree or stored in a SQL table, but the application doesn't see the difference as long as the connectors are configured properly.
To define a new source of users, you simply define a new directory (or redefine the default one) to use different connection and schema information. We'll use an example where the pet-name field is added to the user's schema.
Let's start by defining our new schema in a
.xsd file, myuser.xsd:
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:nxs="http://www.nuxeo.org/ecm/schemas/user"
targetNamespace="http://www.nuxeo.org/ecm/schemas/user">
<xs:include schemaLocation="base.xsd" />
<xs:element name="username" type="xs:string" />
<xs:element name="password" type="xs:string" />
<xs:element name="email" type="xs:string" />
<xs:element name="firstName" type="xs:string" />
<xs:element name="lastName" type="xs:string" />
<xs:element name="company" type="xs:string" />
<xs:element name="petName" type="xs:string" />
<!-- inverse reference -->
<xs:element name="groups" type="nxs:stringList" />
</xs:schema>
This schema must be registered in an extension point:
<extension target="org.nuxeo.ecm.core.schema.TypeService" point="schema"> <schema name="myuser" src="myuser.xsd" /> </extension>
TODO: FG groups
The user schema can now be used when we define a new directory,
MyUserDirectory. A SQL directory is defined like
this:
<extension target="org.nuxeo.ecm.directory.sql.SQLDirectoryFactory" point="directories"> <directory name="MyUserDirectory"> <schema>myuser</schema> <idField>username</idField> <passwordField>password</passwordField> <dataSource>java:/nxsqldirectory</dataSource> <table>myusers</table> <dataFile>myusers.csv</dataFile> <createTablePolicy>on_missing_columns</createTablePolicy> <references> <inverseReference field="groups" directory="groupDirectory" dualReferenceField="members" /> </references> </directory> </extension>
And we can provide a file, myusers.csv, which
will be used to populate the table if it is missing:
username, password, firstName, lastName, company, email, petName bob,bobSecret,Bob,Doe,ACME,[email protected],Lassie
If instead we had used an LDAP directory, the configuration would look like:
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="servers"> <server name="default"> <ldapUrl>ldap://localhost:389</ldapUrl> <bindDn>cn=manager,dc=example,dc=com</bindDn> <bindPassword>secret</bindPassword> </server> </extension> <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories"> <directory name="MyUserDirectory"> <schema>myuser</schema> <idField>username</idField> <passwordField>password</passwordField> <server>default</server> <searchBaseDn>ou=people,dc=example,dc=com</searchBaseDn> <searchClass>inetOrgPerson</searchClass> <searchScope>subtree</searchScope> <fieldMapping name="username">uid</fieldMapping> <fieldMapping name="password">userPassword</fieldMapping> <fieldMapping name="email">mail</fieldMapping> <fieldMapping name="firstName">givenName</fieldMapping> <fieldMapping name="lastName">sn</fieldMapping> <fieldMapping name="company">o</fieldMapping> <references> <inverseReference field="groups" directory="groupDirectory" dualReferenceField="members" /> </references> </directory> </extension>
Detailed configuration on SQL Directories and LDAP Directories can be found in Chapter 16, Directories and Vocabularies.
We can now tell the UserManager that this directory should be the one to use when dealing with users:
<extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">
<userManager>
<defaultAdministratorId>Administrator</defaultAdministratorId>
<defaultGroup>members</defaultGroup>
<userListingMode>search_only</userListingMode>
<users>
<directory>MyUserDirectory</directory>
<emailField>email</emailField>
<searchFields>
<searchField>username</searchField>
<searchField>firstName</searchField>
<searchField>lastName</searchField>
<searchField>myfield</searchField>
</searchFields>
</users>
</userManager>
</extension>
Finally, because the different fields of a user are visible when
creating or viewing them through the user management screens, we
redefine the layout of two standard document types,
User and UserCreate (which are
used in the default user management screens and backing beans) to add
our new field:
<extension target="org.nuxeo.ecm.platform.types.TypeService" point="types">
<type id="User" coretype="User">
<label>User</label>
<icon>/icons/user.gif</icon>
<default-view>view_user</default-view>
<layout>
<widget schemaname="myuser" fieldname="username"
jsfcomponent="h:inputTextReadOnly" />
<widget schemaname="myuser" fieldname="firstName"
jsfcomponent="h:inputText" />
<widget schemaname="myuser" fieldname="lastName"
jsfcomponent="h:inputText" />
<widget schemaname="myuser" fieldname="email"
jsfcomponent="h:inputText" />
<widget schemaname="myuser" fieldname="company"
jsfcomponent="h:inputText" />
<widget schemaname="myuser" fieldname="petName"
jsfcomponent="h:inputText" />
</layout>
</type>
<type id="UserCreate" coretype="UserCreate">
<label>UserCreate</label>
<icon>/icons/user.gif</icon>
<default-view>create_user</default-view>
<layout>
<widget schemaname="myuser" fieldname="username"
jsfcomponent="h:inputText" required="true" />
<widget schemaname="myuser" fieldname="password"
jsfcomponent="h:inputSecret" required="true" />
<widget schemaname="myuser" fieldname="firstName"
jsfcomponent="h:inputText" />
<widget schemaname="myuser" fieldname="lastName"
jsfcomponent="h:inputText" />
<widget schemaname="myuser" fieldname="email"
jsfcomponent="h:inputText" required="true" />
<widget schemaname="myuser" fieldname="company"
jsfcomponent="h:inputText" />
<widget schemaname="myuser" fieldname="petName"
jsfcomponent="h:inputText" />
</layout>
</type>
</extension>
Nuxeo Authentication is based on the JAAS standard.
Authentication infrastructure is based on 2 main components :
a JAAS Login Module: NuxeoLoginModule
a Web Filter: NuxeoAuthenticationFilter
Users and groups and managed via the UserManagerService that handles the indirection to users and groups directories (SQL or LDAP).
Nuxeo authentication framework is pluggable so that you can contribute new plugin and don't have to rewrite and reconfigure a complete JAAS infrastructure.
NuxeoLoginModule is a JAAS LoginModule. It is responsible for handling all login call within Nuxeo's security domains:
nuxeo-ecm: for the service stack and the core
nuxeo-ecm-web: for the web application on the top of the
service stack
On JBoss application server, the JBoss Client Login module is used to propagate security between the web part and the service stack.
Here is the default JBoss security configuration:
<domain name="nuxeo-ecm-web">
<login-module code = "org.nuxeo.ecm.platform.login.NuxeoLoginModule"
flag = "required">
<option name="principalClassName">org.nuxeo.ecm.platform.login.NuxeoPrincipal</option>
<option name="useUserIdentificationInfoCB">true</option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<option name="password-stacking">true</option>
<option name="restore-login-identity">true</option>
<option name="multi-threaded">true</option>
</login-module>
</domain>
<domain name="nuxeo-ecm">
<login-module code = "org.nuxeo.ecm.platform.login.NuxeoLoginModule" flag = "required">
<option name="principalClassName">org.nuxeo.ecm.platform.login.NuxeoPrincipal</option>
<option name="useUserIdentificationInfoCB">true</option>
</login-module>
</domain>
As shown by this configuration, the principals returned by
NuxeoLoginModule is org.nuxeo.ecm.platform.login.NuxeoPrincipal.
Each protected service declares the nuxeo-ecm security domain
<?xml version="1.0" encoding="UTF-8"?>
<jboss>
<enterprise-beans>
<session>
<ejb-name>DocumentManagerBean</ejb-name>
<security-domain>nuxeo-ecm</security-domain>
</session>
</enterprise-beans>
</jboss>
NuxeoLoginModule mainly handles 2 tasks:
login user
This means extract information from the CallBack stack and validate identity.
NuxeoLoginModule supports several types of CallBacks (including Nuxeo specific CallBack) and uses a plugin system to be able to validate user identity in a pluggable way.
Principal creation
For that NuxeoLoginModule uses Nuxeo UserManager service that does the indirection to the users/groups directories.
When used in conjonction with UserIdentificationInfoCallback (Nuxeo custom CallBack system), the LoginModule will choose the right LoginPlugin according to the CallBack information.
Because validating User identity can be more complex that just checking login/password, NuxeoLoginModule exposes an extension point to contribute new LoginPlugins
Each LoginPlugin has to implement the
org.nuxeo.ecm.platform.login.LoginPlugin interface.
Main method is:
String validatedUserIdentity(UserIdentificationInfo userIdent)
that is used to validate the UserIdentificationInfo.
Typically, default implementation will extract Login/Password from UserIdentificationInfo and call the checkUsernamePassword against the UserManager that will validate this information against the users directory.
Other plugins can use other informations carried by UserIdentificationInfo (token, ticket ...) to validate the identity against an external SSO system. The UserIdentificationInfo also carries the LoginModule plugin name that must be used to validate identity. Even if technically, a lot of SSO system could be implemented using this plugin system, most SSO implementations have be moved to the Authentication Plugin at the Web Filter level, because they need a http dialog.
For now, the NuxeoLoginModule has only two way to handle validateUserIdentity:
default
Uses UserManager
Trusted_LM
This plugin assumes the user identity has already been validated by the authentication filter, so the validatedUserIdentity will always return true. Using this LoginModule plugin, a user will be logged if the user exists in the UserManager. This plugin is used for most SSO system in conjonction with a Authentication plugin that will actually do the work of validating password or token.
The Login system can be used via Remote EJB calls.
You can login as System user:
LoginContext lc = Framework.login(); // do some service calls lc.logout();
You can login using user / password:
LoginContext lc = Framework.login(userName, password); // do some service calls lc.logout();
You can also call the login method and pass it directly a CallBackHandler. This can be used in conjonction with org.nuxeo.ecm.platform.api.login.UserIdentificationInfoCallbackHandler.
The Web Authentication filter is responsible for:
guarding access to web resources
The filter can be parametrized to guard urls with a given pattern
finding the right plugin to get user identification information
This can be getting a userName/Password, getting a token in a cookie or a header, redirecting user to another authentication server.
create the LoginContext
This means creating the needed callBacks and call the JAAS Login
store and reestablish login context
In order to avoid recreating a login context for each request, the LoginContext is cached.
The NuxeoAuthenticationFilter is one of the top level filter in Nuxeo Web Filters stack.
For each request it will try to find a existing LoginContext and create a RequestWrapper that will carry the NuxeoPrincipal.
If no existing LoginContext is found it will try to prompt the client for authentication information and will establish the login context.
If order to execute the task of prompting the client and retrieving UserIndetificationInfo, the filter will rely on a set of configured plugins.
Each plugin must:
Implement org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin
The two main methods are:
Boolean handleLoginPrompt(HttpServletRequest httpRequest,HttpServletResponse httpResponse, String baseURL); UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpRequest, HttpServletResponse httpResponse);
Define the LoginModule plugin to use if needed
Typically, SSO AuthenticationPlugin will do all the work and will use the Trusted_LM LoginModule Plugin.
Define if stating URL must be saved
AuthenticationPlugins that uses HTTP redirect in order to do the login prompt will let the Filter store the first accessed URL in order to cleanly redirect the user to the page he asked after the authentication is successful.
Additionnaly, AuthenticationPlugin can also
implement the org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPluginLogoutExtension interface if a specific processing must be done when logging out.
Here is a sample XML descriptor for registering an AuthenticationPlugin:
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.ui.web.auth.defaultConfig">
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin name="FORM_AUTH" enabled="true"
class="org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator">
<needStartingURLSaving>true</needStartingURLSaving>
<parameters>
<parameter name="LoginPage">login.jsp</parameter>
<parameter name="UsernameKey">user_name</parameter>
<parameter name="PasswordKey">user_password</parameter>
</parameters>
</authenticationPlugin>
</extension>
</component>
As you can see in the above example, the descriptor contains the parameters tag that can be used to embed arbitrary additional configuration that will be specific to a given AuthenticationPlugin. In the above example, it is used to define the field names and the JSP file used for form based authentication.
NuxeoAuthenticationFilter supports several authentication system. This is, for example, useful for having users using Form based authentication and having RSS clients using Basic Authentication. Because of that AuthenticationPlugin must be ordered. For that purpose, NuxeoAuthenticationFilter uses a dedicated extension point that let you define the AuthenticationChain.
<component name="Anonymous.auth.activation">
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<plugin>BASIC_AUTH</plugin>
<plugin>ANONYMOUS_AUTH</plugin>
<plugin>FORM_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
</component>
The NuxeoAuthenticationFilter will use this chain to trigger the
login prompt. Typically, when authentication is needed, the Filter will
call the handleLoginPrompt method on the plugins in the order of the
authentication chain. When prompt is done, it will call the
handleRetrieveIdentity method in the same order.
Some AuthenticationPlugin may choose not to trigger the LoginPrompt in all cases. For example, the BasicAuthentication plugin only generates the prompt for specific urls like RSS feeds or restlet calls. This allow the platform to be easily called by Restlets or RSS clients without bothering browser clients.
NuxeoAuthenticationFilter comes with two built-in authentication plugins:
FORM_AUTH: Form based Authentication
This is a standard form based authentication. Current implementation let you configure the name of the Login and Password fields, and the name of the page used to display the login page
BASIC_AUTH: Basic HTTP Authentication
This plugin supports standard HTTP Basic Authentication. By default, this plugin only generates the authentication prompt on configured URLs.
There are also additional components that provides other Authentication plugins (see below).
Nuxeo provides a set of other authentication plugins that are not installed by default with the standard Nuxeo EP setup. These plugins can be downloaded and installed separately.
This plugin implements a client for CAS2 SSO system (Central Authentication System V2):
To install this authentication plugin, you need to:
download the nuxeo-platform-login-cas2 plugin
put it in $JBOSS_HOME/server/default/deploy/nuxeo.ear/plugins and restart the server
configure the CAS2 descriptor
put CAS2 plugin into the authentication chain
In order to configure CAS2 Auth, you need to create an XML
configuration file into
$JBOSS_HOME/server/default/deploy/nuxeo.ear/config
Here is a sample file named CAS2-config.xml.
<component name="MyAPP.Cas2SSO">
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<require>org.nuxeo.ecm.platform.login.Cas2SSO</require>
<!-- configure you CAS server parameters -->
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="CAS2_AUTH">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<parameter name="ticketKey">ticket</parameter>
<parameter name="appURL">http://127.0.0.1:8080/nuxeo/nxstartup.faces</parameter>
<parameter name="serviceLoginURL">http://127.0.0.1:8080/cas/login</parameter>
<parameter name="serviceValidateURL">http://127.0.0.1:8080/cas/serviceValidate</parameter>
<parameter name="serviceKey">service</parameter>
<parameter name="logoutURL">http://127.0.0.1:8080/cas/logout</parameter>
</parameters>
</authenticationPlugin>
</extension>
<!-- Include CAS2 into authentication chain -->
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<plugin>BASIC_AUTH</plugin>
<plugin>CAS2_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
</component>
This plugin assumes Nuxeo is behind a authenticating reverse proxy that transmit user identity using HTTP headers. This modules has be used on projects that uses a apache reverse proxy using client certificates to authenticate. SSO system (Central Authentication System V2):
To install this authentication plugin, you need to:
download the nuxeo-platform-login-mod_sso plugin
put it in
$JBOSS_HOME/server/default/deploy/nuxeo.ear/plugins and restart
the server
configure the plugin via an XML descriptor
put the plugin into the authentication chain
In order to configure this plugin, you need to create an XML
configuration file into
$JBOSS_HOME/server/default/deploy/nuxeo.ear/config
Here is a sample file named proxy-auth-config.xml.
<component name="MyAPP.Mod_sso">
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<require>org.nuxeo.ecm.platform.login.Proxy</require>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="PROXY_AUTH">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<!-- configure here the name of the http header that is used to retrieve user identity -->
<parameter name="ssoHeaderName">remote_user</parameter>
</parameters>
</authenticationPlugin>
</extension>
<!-- Include Proxy Auth into authentication chain -->
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
<plugin>BASIC_AUTH</plugin>
<plugin>PROXY_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
</component>
This plugin uses JCIFS to handle NTLM authentication.
This plugging was partially contributed by Nuxeo EP users and has been reported to work by several users.
If you have troubles with latest version of IE on POST requests, please see JCIFS instructions on that (http://jcifs.samba.org/src/docs/ntlmhttpauth.html#post).
To install this authentication plugin, you need to :
download the nuxeo-platform-login-ntlm plugin
put it in
$JBOSS_HOME/server/default/deploy/nuxeo.ear/plugins and restart
the server
configure the plugin via an XML descriptor
put the plugin into the authentication chain
In order to configure this plugin, you need to create an XML
configuration file into
$JBOSS_HOME/server/default/deploy/nuxeo.ear/config
Here is a sample file named ntlm-auth-config.xml.
<component name="MyAPP.NTLM">
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<require>org.nuxeo.ecm.platform.login.NTLM</require>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="NTLM_AUTH">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<!-- Add here parameters for you domain, please ee http://jcifs.samba.org/src/docs/ntlmhttpauth.html
<parameter name="jcifs.http.domainController">MyControler</parameter>
-->
</parameters>
</authenticationPlugin>
</extension>
<!-- Include NTLM Auth into authentication chain -->
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<plugin>BASIC_AUTH</plugin>
<plugin>NTLM_AUTH</plugin>
<plugin>FORM_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
</component>
This plugin provides a way to handle identity propagation between an external application and Nuxeo. It was coded in order to propagate user identify between a JSR168 portal and a Nuxeo server. See the Nuxeo-Http-client-library for more information.
To install this authentication plugin, you need to :
download the nuxeo-platform-login-portal-sso plugin
put it in
$JBOSS_HOME/server/default/deploy/nuxeo.ear/plugins and restart
the server
configure the plugin via an XML descriptor
put the plugin into the authentication chain
In order to configure this plugin, you need to create an XML
configuration file into
$JBOSS_HOME/server/default/deploy/nuxeo.ear/config
Here is a sample file named portal-auth-config.xml.
<component name="MyAPP.postal_sso">
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<require>org.nuxeo.ecm.platform.login.Portal</require>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="authenticators">
<authenticationPlugin
name="PORTAL_AUTH">
<loginModulePlugin>Trusting_LM</loginModulePlugin>
<parameters>
<!-- define here shared secret between the portal and Nuxeo server -->
<parameter name="secret">nuxeo5secretkey</parameter>
<parameter name="maxAge">3600</parameter>
</parameters>
</authenticationPlugin>
</extension>
<!-- Include Portal Auth into authentication chain -->
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<!-- Keep basic Auth at top of Auth chain to support RSS access via BasicAuth -->
<plugin>BASIC_AUTH</plugin>
<plugin>PORTAL_AUTH</plugin>
<plugin>FORM_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
</component>
This plugin provides anonymous authentication. Users are automatically logged as a configurable Anonymous user. This modules also includes additional actions (to be able to login when already logged as Anonymous) and a dedicated Exception handling (to automatically redirect Anonymous users to login screen after a security error).
To install this authentication plugin, you need to :
download the nuxeo-platform-login-anonymous plugin
put it in
$JBOSS_HOME/server/default/deploy/nuxeo.ear/plugins and restart
the server
configure the plugin via an XML descriptor (define who the anonymous user will be)
put the plugin into the authentication chain
In order to configure this plugin, you need to create an XML
configuration file into
$JBOSS_HOME/server/default/deploy/nuxeo.ear/config
Here is a sample file named anonymous-auth-config.xml.
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.login.anonymous.config">
<!-- Make sure these components are read first -->
<require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
<require>org.nuxeo.ecm.platform.login.anonymous</require>
<!-- Add an Anonymous user -->
<extension target="org.nuxeo.ecm.platform.usermanager.UserService"
point="userManager">
<userManager>
<users>
<anonymousUser id="Guest">
<property name="firstName">Guest</property>
<property name="lastName">User</property>
</anonymousUser>
</users>
</userManager>
</extension>
<!-- Override the default authentication chain present in
nuxeo-platform-ui-web to add ANONYMOUS_AUTH. -->
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="chain">
<authenticationChain>
<plugins>
<plugin>BASIC_AUTH</plugin>
<plugin>ANONYMOUS_AUTH</plugin>
<plugin>FORM_AUTH</plugin>
</plugins>
</authenticationChain>
</extension>
</component>