Allow LoginExtensions on Guest-Protected-Wikis

XWiki has introduced an administration setting Prevent unregistered users from viewing pages, regardless of the page rights (formerly Prevent unregistered users from viewing pages, regardless of the page or space rights) around xwiki 5 or 6 that allows web-site administrators. Probable reason: to make sure that the rights are not completely uncontrolled (as rights are objects which many can manipulate as soon as they can manipulate objects). This checkbox has the effect that only URLs at views that are in the login process are accessible; others redirect to the /login/XWiki/XWikiLogin.

However, applications that provide the facility to authenticate users may need to respond to some URLs or deliver some skin-material or configuration-information in order for them to offer or deliver their services. Examples for these include:

  • JavaScript or CSS UI-modifications  to change the login form to invite users to start a login-flow involving an extra information or an external partner
  • URLs followed by a redirect that take part to an OAuth login flow


This page proposes the a sketch of the necessary implementation so that login-providers can still work with this setting activated.

Possible Ingredients

Discussed on the forum.

  • Use a UI Extension  or  that loads the JavaScript code on the login page, probably as a component with role UIExtension.
  • Let the JS be delivered by a WebJar
  • The JavaScript can also be used to implement the functions of an OAuth page which redirects to the identity provider and receives the redirect back.
  • Let external URLs be reached using the Resource API which allows services to implement wiki-page-independent http-server-actions such as redirects.

Lesser Secure Workaround

In a wiki where an administrator has an overview of all the rights, using the rights can simulate this effect:

  • XWikiGuest is prohibited to make any access except on the Login-relevant pages (XWikiLogin but also the pages of the identity provider)
  • XWikiAllGroup is allowed to make any access


This setting prevents implementors of login-providers (e.g. GoogleApps, OpenID, ...) to deliver their content when coming from other pages than the login-page: JS-Extensions or OAuth-bounce pages are two example of pages prevented by this checkbox.



Get Connected