As a transitional step, this site will temporarily be made Read-Only from July 8th until the new community launch. During this time, you can still search and read articles and discussions.

While the community is read-only, if you have questions or issues requiring TIBCO review/response, please access the new TIBCO Community and select "Ask A Question."

You will need to register or log in or register to engage in the new community.

TIBCO Spotfire® Server API for Custom Authentication

Last updated:
2:09am Nov 15, 2021

Back to Extending Spotfire page


There are many use cases where the authentication options supported by TIBCO Spotfire® need to be customized, For example, when Spotfire is embedded into a portal or other web application and authentication needs to be passed from the portal to TIBCO Spotfire or a company has internal web application security standards that require Single-Sign-On to all web applications that needs to include TIBCO Spotfire. Spotfire supports these scenarios via external and custom authentication. 

See also:

Spotfire Server API - custom authentication

The Spotfire Server API provides several options for custom authentication. Which one to choose depends on the use case.


A PostAuthenticationFilter may be used if the user identity can be established through some built-in authentication method and all that is needed is some additional verification (to impose restrictions on the IP address of the client for example). May also be used for performing additional logging or to set up group memberships using the UserDirectory API. For more details, see Configure a custom PostAuthenticationFilter in TIBCO Spotfire® Server.

Custom JAAS Login Module

A custom JAAS Login Module may be used if the authentication is based on username/password but the built-in options for verifying such (database, LDAP and Windows domain controller) are insufficient.

Custom Login Page

If the authentication is based on username/password but some additional information needs to be collected from the user and verified or logged a custom login page can be combined with a PostAuthenticationFilter (and possibly a custom JAAS Login Module).


A CustomAuthenticator is a suitable option when the user identity can be retrieved from an HTTP header or similar but the built-in functionality for retrieving such isn't sufficient - for example if the header contains a token that must be validated against some external service to establish the user identity. It has access to headers, cookies and attributes and may perform more advanced forms of validation and/or transformation.


A CustomWebAuthenticator should be used for web-based authentication flows (based on OAuth2 or similar) where the user is redirected to some external identity provider and then redirected back to the Spotfire Server. This option can be combined with username/password based authentication and/or OpenID Connect.



The example code is intended to show how various custom authentication components interacts with the Spotfire Server. It is not intended to illustrate any best practices for secure coding. In fact, some parts of the code have intentionally been simplified in a way that contradicts secure coding. The examples should therefore not be used in production. The example code can be found in the attached zip file. 

CustomAuthenticator example

The first example, JwtCustomAuthenticator, shows a typical use of the CustomAuthenticator API - it retrieves the user identity from a signed JWT provided as a cookie.

When the Spotfire Server is configured to use external authentication, it can extract the user identities from request attributes, HTTP headers or HTTP cookies. In those cases, no custom components are required. The only prerequisite is to enable external authentication on the server and to configure which external authentication source to use: attributes, headers or cookies. How to use external authentication with any of those sources is described in the Spotfire Server manual. For more advanced scenarios the CustomAuthenticator API can be used (as shown in the example).

CustomWebAuthenticator example with an identity provider service

The second example is slightly more complicated than the JwtCustomAuthenticator example. It consists of two components: a Custom Web Authenticator named IdentityProviderCustomWebAuthenticator and an identity provider service named IdentityProviderServlet.

The IdentityProviderCustomWebAuthenticator component is deployed in the Spotfire Server, while the IdentityProviderServlet component must be deployed in a separate web application, typically hosted by a separate Servlet container. The Spotfire Server redirects the browser client to the identity provider service, which displays an HTML login form, prompting the user for a username and a password. The entered credentials are validated against a file-based user-and-password database. If the credentials are incorrect, the same HTML login form is displayed again with an error message. If the credentials are correct, the browser client is redirected back to the Return Endpoint on the Spotfire Server, with an authentication token appended as a query parameter. The Custom Web Authenticator validates the authentication token using the identity provider's validation service and extracts the user metadata from the validation response.


Feedback (2)


Thanks for your feedback.  The author of this wiki may update the content of this page to address your concerns. If you need a specific answer to your question, please ask it in the 'Answers' section.

TIBCO Community Wiki page Feedback Policy.

Don Johnson 11:11am Apr. 19, 2017

How does Anonymous Authentication fit in with these various Custom Authentication options? If someone is trying to access an Anonymous resource, will any of these options be bypassed?

jawarren 9:59am Apr. 19, 2017