Web UI Pre-Authentication

You can configure Horizon to run behind a proxy that provides authentication, and then pass the pre-authenticated user to the Horizon webapp using a header.

Define the pre-authentication configuration in ${OPENNMS_HOME}/jetty-webapps/opennms/WEB-INF/spring-security.d/header-preauth.xml. This file is automatically included in the Spring security context, but is not enabled by default.

Do not configure Horizon this way unless you are certain the web UI is accessible only to the proxy and not to end users. Otherwise, malicious attackers can craft queries that include the pre-authentication header and get full control of the web UI and REST APIs.

Enable pre-authentication

Edit the header-preauth.xml file, and set the enabled property:

<beans:property name="enabled" value="true" />

Configure pre-authentication

You can also set the following properties to change the behavior of the pre-authentication plugin:

Property Description Default

Property	Description	Default
enabled	Whether the pre-authentication plugin is active.	false
failOnError	If `true`, disallow login if the header is not set or the user does not exist. If `false`, fall through to other mechanisms (basic auth, form login, and so on).	false
userHeader	The HTTP header that specifies the user to authenticate as.	X-Remote-User
credentialsHeader	A comma-separated list of credentials to associate with the principal. If specified, the header must be set for authentication to be successful.
authoritiesHeader	The HTTP header that will contain a comma-separated list of authorities (roles) the user will have.	no default value

enabled

Whether the pre-authentication plugin is active.

false

failOnError

If true, disallow login if the header is not set or the user does not exist. If false, fall through to other mechanisms (basic auth, form login, and so on).

false

userHeader

The HTTP header that specifies the user to authenticate as.

X-Remote-User

credentialsHeader

A comma-separated list of credentials to associate with the principal. If specified, the header must be set for authentication to be successful.

authoritiesHeader

The HTTP header that will contain a comma-separated list of authorities (roles) the user will have.

no default value

Enable pre-authorization

Modify ${OPENNMS-HOME}/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml, and set the following:

<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
  <beans:property name="preAuthenticatedUserDetailsService">
    <beans:bean id="preAuthUserDetailsService" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService"/>
  </beans:property>
</beans:bean>

You can then use the following command to test:

curl -H "X-Remote-User: myuser" -H "X-Remote-Role: ROLE_USER,ROLE_REST" http://localhost:8980/opennms/rest/whoami