Web UI Pre-Authentication

It is possible to configure Horizon to run behind a proxy that provides authentication, and then pass the pre-authenticated user to the Horizonwebapp using a header.

Define the pre-authentication configuration in ${OPENNMS_HOME}/jetty-webapps/opennms/WEB-INF/spring-security.d/header-preauth.xml. This file is automatically included in the Spring Security context, but is not enabled by default.

DO NOT configure Horizon this way unless you are certain the web UI is accessible only to the proxy and not to end users. Otherwise, malicious attackers can craft queries that include the pre-authentication header and get full control of the web UI and REST APIs.

Enabling Pre-Authentication

Edit the header-preauth.xml file, and set the enabled property:

<beans:property name="enabled" value="true" />

Configuring Pre-Authentication

You can also set the following properties to change the behavior of the pre-authentication plugin:

Property Description Default


Whether the pre-authentication plugin is active.



If true, disallow login if the header is not set or the user does not exist. If false, fall through to other mechanisms (basic auth, form login, etc.)



The HTTP header that will specify the user to authenticate as.



A comma-separated list of additional credentials (roles) the user should have.