New code source out: Authentication HMAC

Lucie Lesage25/08/2022


is an acronym for hash-based message authentication code

Find our source code on GitHub

This code has been developed thanks to the funding of the Haute-Vienne department.

It is available under the license LGPLv3, on our GitHub, in the "authentication-hmac" directory.

With this code, you can set up an authentication delegation to Alfresco.

For example, the Zimbra application connects to Alfresco "as" the user Lucy. It prevents the application – in this case Zimbra – from "storing" a user’s password in memory.

Questions regarding its usage

When to use it? When not to use it?

Use it to authenticate to Alfresco from another application when it is not possible to set up a single sign-on (SSO).

This is used, for example, to access Alfresco documents from Zimbra, when Kerberos or OAuth solution cannot be used.

This mechanism is dependent on sharing a secret (key), which is held by both applications. Therefore, HMAC should not be used by an application that cannot protect this secret.

For example, JavaScript applications, which are loaded on the user’s browser.

Thats why, this mechanism should be used if and only if the two applications are on the same secure network.

What are its benefits? What are its limitations?

It is a very easy solution to implement.

The authentication key needs to be very secure, and regular key renewal must be planned.

How secure is it? When to use it?

It is a secure solution, but it carries a very high risk if the key is compromised. It is a solution to be used as a last resort and in a well-controlled environment.

It is a solution to be preferred for the integration of old software that does not yet offer modern solutions, such as Kerberos or OAuth.

What is free and open-source software? See our dedicated page on the subject at

You can participate in the development of this code: use GitHub, in the "authentication-hmac" directory if you have corrections, suggestions, questions, etc. This is the spirit of free and open-source software!

A propos de JECI

Maintenance Logicielle, Conteneur (Docker, Kubernetes), Alfresco Community, Logiciels Libres
SARL - Capital : 100 000 €, immatriculée au RCS de Dijon

Nous contacter

+33 9 72 38 21 92

2013-2022 Jeci | Mixed with v4.6.1 | Baked with JBake v2.6.7 | Photo by iMattSmart via Unsplash | Mentions légales