Hello, I would like to open a XWiki page with a specific user from an external application, so I thought the easiest approach would be using Basic Authentication:
https://username:password@mywiki.xwiki.com/xwiki/bin/view/Main/?basicauth=1
Since I don’t want to include the password in the URL, I want to make a custom authenticator, which uses a encrypted password/token and decrypts it, before calling the actual XWiki authentication method.
The tutorial says to extend XWikiAuthServiceImpl, so I created this test-authenticator (for easier reproducibility):
public class TestTokenAuthenticator extends XWikiAuthServiceImpl
{
protected static final Logger LOG = LoggerFactory.getLogger(TestTokenAuthenticator.class);
@Override
public Principal authenticate(String username, String password, XWikiContext context) throws XWikiException
{
LOG.debug("authenticate start for username=" + username);
if (password != null && password.startsWith("XXX"))
{
LOG.debug("password starts with XXX, removing");
// just remove XXX, actual implementation would decode the token
password = password.substring(3);
}
LOG.debug("calling super.authenticate");
// call super.authenticate, so xwiki handles the authentication with the changed password, if it has been changed
return super.authenticate(username, password, context);
}
}
So this authenticator just removes the “XXX” from the password and uses the new password to login with the underlying implementation.
I set the xwiki.authentication.authclass property, and the authenticator works:
If I navigate to
https://user1:XXXpassword@mywiki.xwiki.com/xwiki/bin/view/Main/?basicauth=1
the login works, because “XXX” is removed, and if I use
https://user1:password@mywiki.xwiki.com/xwiki/bin/view/Main/?basicauth=1 (standard implementation)
it also works, because the super.authenticate is called anyway.
The problem starts, when the wrong password is used 3 times:
After supplying the wrong passord 3 times via basic authentication, the login via basic authentication fails even when the correct password is entered again afterwards. The browser just shows the dialog to enter username and password. No matter how often I enter the correct password.
When this happens, and I try to login via the login form (not basic authentication), the first time the login form is shown normally, but after submitting it, it is shown again and shows a CAPTCHA.
I checked the wiki settings, and this seems to be the standard setting of “Authentication Security”, to show a CAPTCHA after 3 failed logins.
So after entering the correct password and CAPTCHA, the login via form works. But the basic authentication login still does not work.
The only way to get it working again, is disabling the “Authentication Security” CAPTCHA entirely or restarting xwiki.
Waiting for 600 seconds (standard setting) also does not allow login via basic authentication again.
Is this the normal behaviour or am I missing something in my implementation?
When I don’t use a custom authenticator (xwiki uses the default org.xwiki.security.authservice.internal.StandardXWikiAuthServiceComponent) and try the same thing, basic authentication also stops working after 3 wrong logins, but after logging in via form and CAPTCHA, basic authentiation sometimes it starts working again, sometimes not (and a have to restart xwiki).
Waiting 600 seconds (then no custom authenticator is used) also does not reenable the basic authentication method.
My current workaround is to disable the CAPTCHA, but this does not sound like a good idea because of to brute-force attacks et cetera.
Here is the part of the logfile when the login fails after using a wrong password in basic authentication 3 times and then reenabling the user by using the login form and CAPTCHA:
DEBUG x.x.u.i.x.XWikiAuthServiceImpl - XWikiAuthServiceImpl.checkAuth(XWikiContext) took 0 milliseconds to run.
DEBUG a.i.x.a.TestTokenAuthenticator - authenticate start for username=user1
DEBUG a.i.x.a.TestTokenAuthenticator - calling super.authenticate
DEBUG x.x.u.i.x.XWikiAuthServiceImpl - Password check for user XWiki.user1 successful
DEBUG x.x.u.i.x.XWikiAuthServiceImpl - 0 milliseconds spent validating password.
WARN nticationFailureLoggerListener - Authentication failure with login [user1]
DEBUG x.x.u.i.x.XWikiAuthServiceImpl - XWikiAuthServiceImpl.checkAuth(XWikiContext) took 11 milliseconds to run.
So the TestTokenAuthenticator and XWikiAuthServiceImpl report a successful login, but some FailureLoggerListener still reports a login failure.
Why does this happen?
How can I keep the CAPTCHA for forms enabed but don’t use them for basic authentication or at least be able to use the basic authentication again after waiting 600 seconds?
Thanks