fix(xwiki): enable superadmin flag in xwiki.cfg and always force Distribution Wizard

- Added 'xwiki.superadmin=1' alongside the password in 'xwiki.cfg' to properly activate the superadmin account during bootstrap.
- Simplified 'xwiki.properties': Distribution Wizard config is now always present instead of conditional on the superadmin switch.
- Ensures that the Distribution Wizard ('distribution.wizard.enabled=true') and flavor bootstrap run automatically on first startup.
- This fixes the issue where REST endpoints (/rest/jobs, /repositories) stayed at 404 because the DW never executed.

Ref: https://chat.openai.com/share/7a5d58d2-8e91-4e34-8fa0-8b7d62494e4a

roles/web-app-xwiki/tasks/03_administrator.yml

@@ -1,7 +1,7 @@
 # 1) Create page XWiki.<userid> (PUT is idempotent)
 - name: "XWIKI | Ensure user page exists: XWiki.{{ XWIKI_ADMIN_USER }}"
   uri:
-    url: "{{ XWIKI_REST_BASE }}wikis/xwiki/spaces/XWiki/pages/{{ XWIKI_ADMIN_USER | urlencode }}"
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, XWIKI_ADMIN_USER | urlencode] | url_join }}"
     method: PUT
     user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
     password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
@@ -19,7 +19,7 @@
 # 2) Add XWiki.XWikiUsers object (only if it does not already exist)
 - name: "XWIKI | Check if XWikiUsers object exists"
   uri:
-    url: "{{ XWIKI_REST_BASE }}wikis/xwiki/spaces/XWiki/pages/{{ XWIKI_ADMIN_USER | urlencode }}/objects?classname=XWiki.XWikiUsers"
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, XWIKI_ADMIN_USER | urlencode, 'objects'] | url_join }}?classname=XWiki.XWikiUsers"
     method: GET
     user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
     password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
@@ -29,7 +29,7 @@
 
 - name: "XWIKI | Add XWiki.XWikiUsers object"
   uri:
-    url: "{{ XWIKI_REST_BASE }}wikis/xwiki/spaces/XWiki/pages/{{ XWIKI_ADMIN_USER | urlencode }}/objects"
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, XWIKI_ADMIN_USER | urlencode, 'objects'] | url_join }}"
     method: POST
     user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
     password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
@@ -54,7 +54,7 @@
 # 3) (Optional) Assign admin rights by adding the user to XWikiAdminGroup
 - name: "XWIKI | Ensure user is in XWikiAdminGroup"
   uri:
-    url: "{{ XWIKI_REST_BASE }}wikis/xwiki/spaces/XWiki/pages/XWikiAdminGroup/objects"
+    url: "{{ [XWIKI_REST_XWIKI_PAGES, 'XWikiAdminGroup/objects'] | url_join }}"
     method: POST
     user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
     password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"

roles/web-app-xwiki/tasks/04_extensions.yml

@@ -1,7 +1,20 @@
+# roles/web-app-xwiki/tasks/04_extensions.yml
+#
+# Canonical install flow for XWiki 16.10.x in this setup:
+# - PUT /rest/jobs with query params (install, async=false, media=json, namespaces, extensions)
+# - Pass lists via <rest><list>…</list></rest> in query parameters
+# - Minimal XML body (<jobRequest/>) just to satisfy the REST layer
+# - Restart once (handler: docker compose restart), then verify via the 'installed' repository
+#
+# Requires in xwiki.properties:
+# extension.repositories=xwiki-public:maven:https://nexus.xwiki.org/nexus/content/groups/public/,central:maven:https://repo1.maven.org/maven2/
+
+# 1) Probe what is already installed
 - name: "Probe OIDC extension"
   include_tasks: _probe_extension.yml
   vars:
     ext_id: "{{ XWIKI_EXT_OIDC_ID }}"
+    ext_version: "{{ XWIKI_EXT_OIDC_VERSION }}"
     ext_enabled: "{{ XWIKI_OIDC_ENABLED }}"
     result_var: "xwiki_oidc_ext"
 
@@ -9,10 +22,43 @@
   include_tasks: _probe_extension.yml
   vars:
     ext_id: "{{ XWIKI_EXT_LDAP_ID }}"
+    ext_version: "{{ XWIKI_EXT_LDAP_VERSION }}"
     ext_enabled: "{{ XWIKI_LDAP_ENABLED }}"
     result_var: "xwiki_ldap_ext"
 
-- name: "Install LDAP and/or OIDC extensions"
+# 2) Build the list of extensions to install (enabled + missing)
+- name: "Initialize extension install list"
+  set_fact:
+    extensions_to_install: []
+
+- name: "Queue OIDC extension for install"
+  when:
+    - XWIKI_OIDC_ENABLED | bool
+    - xwiki_oidc_ext.status | int != 200
+  set_fact:
+    extensions_to_install: "{{ extensions_to_install + [ {'id': XWIKI_EXT_OIDC_ID, 'version': XWIKI_EXT_OIDC_VERSION} ] }}"
+
+- name: "Queue LDAP extension for install"
+  when:
+    - XWIKI_LDAP_ENABLED | bool
+    - xwiki_ldap_ext is defined
+    - xwiki_ldap_ext.status | int != 200
+  set_fact:
+    extensions_to_install: "{{ extensions_to_install + [ {'id': XWIKI_EXT_LDAP_ID, 'version': XWIKI_EXT_LDAP_VERSION} ] }}"
+
+# 3) Build XML payloads for the request BODY (not query params)
+- name: "Build XML payloads for job body"
+  when: extensions_to_install | length > 0
+  set_fact:
+    namespaces_xml_rest: "<rest><list><string>wiki:xwiki</string></list></rest>"
+    extensions_xml_rest: >-
+      <rest><list>{% for ext in extensions_to_install -%}
+      <extension><id>{{ ext.id }}</id><version>{{ ext.version }}</version><namespace>wiki:xwiki</namespace></extension>
+      {%- endfor %}</list></rest>
+
+# 4) Install extensions synchronously using BODY properties
+- name: "Install extensions via PUT (body properties, sync)"
+  when: extensions_to_install | length > 0
   uri:
     url: "{{ XWIKI_REST_EXTENSION_INSTALL }}?jobType=install&async=false&media=json"
     method: PUT
@@ -20,41 +66,87 @@
     password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
     force_basic_auth: true
     headers:
-      Content-Type: "text/xml"
       Accept: "application/json"
-      X-Requested-With: "XMLHttpRequest"
-    body: "{{ lookup('template', 'installjobrequest.xml.j2') }}"
-    status_code: [200, 202]
+      Content-Type: "application/xml"
+    body: |
+      <jobRequest xmlns="http://www.xwiki.org">
+        <request>
+          <properties>
+            <property>
+              <key>namespaces</key>
+              <value><![CDATA[{{ namespaces_xml_rest }}]]></value>
+            </property>
+            <property>
+              <key>extensions</key>
+              <value><![CDATA[{{ extensions_xml_rest }}]]></value>
+            </property>
+            <property>
+              <key>interactive</key>
+              <value><rest><boolean>false</boolean></rest></value>
+            </property>
+          </properties>
+        </request>
+      </jobRequest>
+    status_code: [200, 201, 202]
     return_content: yes
-  when:
-    - (XWIKI_OIDC_ENABLED | bool and (xwiki_oidc_ext.status | default(404)) != 200)
-      or
-      (XWIKI_LDAP_ENABLED | bool and (xwiki_ldap_ext is not skipped) and (xwiki_ldap_ext.status | default(404)) != 200)
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
   register: xwiki_install_job
+  notify: docker compose restart
+  changed_when: xwiki_install_job.json.state == 'FINISHED'
 
-- name: "Extract install job id"
-  set_fact:
-    xwiki_install_job_id: "{{ xwiki_install_job | xwiki_job_id(default='') }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+# 5) Restart once so new classes are loaded
+- name: "Restart XWiki after install"
+  when: extensions_to_install | length > 0
+  meta: flush_handlers
 
-- name: "Poll install job status until FINISHED without errors"
-  when: xwiki_install_job_id is defined and xwiki_install_job_id|length > 0
+# 6) Wait for REST to be ready again
+- name: "Wait until XWiki REST is ready after restart"
   uri:
-    url: "{{ XWIKI_REST_BASE }}jobstatus/{{ xwiki_install_job_id }}?media=json"
-    method: GET
-    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
-    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
-    force_basic_auth: true
-    headers:
-      Accept: "application/json"
-    status_code: 200
-    return_content: yes
-  register: _install_status
+    url: "{{ XWIKI_REST_BASE }}"
+    status_code: [200, 401]
+    follow_redirects: none
+    return_content: no
+  register: xwiki_rest_up_after
   changed_when: false
-  retries: 20
-  delay: 3
+  retries: 60
+  delay: 5
   until:
-    - _install_status is succeeded
-    - _install_status.json.state == 'FINISHED'
-    - (_install_status.json.errors | default([]) | length) == 0
+    - xwiki_rest_up_after is succeeded
+    - (xwiki_rest_up_after.redirected is not defined) or (not xwiki_rest_up_after.redirected)
+
+# 7) Re-probe from 'installed' repository
+- name: "Re-probe OIDC extension (installed repo)"
+  include_tasks: _probe_extension.yml
+  vars:
+    ext_id: "{{ XWIKI_EXT_OIDC_ID }}"
+    ext_version: "{{ XWIKI_EXT_OIDC_VERSION }}"
+    ext_enabled: "{{ XWIKI_OIDC_ENABLED }}"
+    result_var: "xwiki_oidc_ext_after"
+
+- name: "Re-probe LDAP extension (installed repo)"
+  include_tasks: _probe_extension.yml
+  vars:
+    ext_id: "{{ XWIKI_EXT_LDAP_ID }}"
+    ext_version: "{{ XWIKI_EXT_LDAP_VERSION }}"
+    ext_enabled: "{{ XWIKI_LDAP_ENABLED }}"
+    result_var: "xwiki_ldap_ext_after"
+
+# 8) Fail fast if something requested is still missing
+- name: "FAIL: OIDC missing after install"
+  fail:
+    msg: >-
+      OIDC extension ({{ XWIKI_EXT_OIDC_ID }} {{ XWIKI_EXT_OIDC_VERSION }}) is NOT detected
+      after install (HTTP {{ xwiki_oidc_ext_after.status | default('n/a') }}).
+      Check 'extension.repositories' in xwiki.properties and network/DNS.
+  when:
+    - XWIKI_OIDC_ENABLED | bool
+    - xwiki_oidc_ext_after.status | int != 200
+
+- name: "FAIL: LDAP missing after install"
+  fail:
+    msg: >-
+      LDAP extension ({{ XWIKI_EXT_LDAP_ID }} {{ XWIKI_EXT_LDAP_VERSION }}) is NOT detected
+      after install (HTTP {{ xwiki_ldap_ext_after.status | default('n/a') }}).
+      Check 'extension.repositories' in xwiki.properties and network/DNS.
+  when:
+    - XWIKI_LDAP_ENABLED | bool
+    - xwiki_ldap_ext_after.status | int != 200

roles/web-app-xwiki/tasks/_probe_extension.yml

@@ -1,7 +1,11 @@
-- name: "XWIKI | Probe extension {{ ext_id }}"
+# roles/web-app-xwiki/tasks/_probe_extension.yml
+# Probes the 'installed' extension repository to check if a given extension is present.
+# Uses the wiki-namespaced REST base (/rest/wikis/xwiki) and falls back to /{id}/{version} if needed.
+
+- name: "XWIKI | Probe extension {{ ext_id }} (installed repo)"
   when: ext_enabled | bool
   uri:
-    url: "{{ XWIKI_REST_XWIKI }}/extensions/{{ ext_id | urlencode }}"
+    url: "{{ [XWIKI_REST_XWIKI, 'repositories/installed/extensions', ext_id | urlencode] | url_join }}?namespace={{ 'wiki:xwiki' | urlencode }}"
     method: GET
     user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
     password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
@@ -10,13 +14,31 @@
     return_content: no
     headers:
       Accept: "application/xml"
-    status_code: [200, 401, 404, 302]
+    status_code: [200, 401, 404]
   register: _probe
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+  changed_when: false
+
+# Some XWiki builds/versions answer on /{id}/{version}. Try that if plain /{id} returned 404.
+- name: "XWIKI | Probe extension {{ ext_id }} with version (fallback)"
+  when:
+    - ext_enabled | bool
+    - (_probe.status | default(404)) | int == 404
+    - ext_version is defined
+  uri:
+    url: "{{ [XWIKI_REST_XWIKI, 'repositories/installed/extensions', ext_id | urlencode, ext_version] | url_join }}?namespace={{ 'wiki:xwiki' | urlencode }}"
+    method: GET
+    user: "{{ XWIKI_SUPERADMIN_USERNAME }}"
+    password: "{{ XWIKI_SUPERADMIN_PASSWORD }}"
+    force_basic_auth: true
+    follow_redirects: none
+    return_content: no
+    headers:
+      Accept: "application/xml"
+    status_code: [200, 401, 404]
+  register: _probe_v
   changed_when: false
 
 - name: "XWIKI | Save probe result for {{ ext_id }}"
   when: ext_enabled | bool
   set_fact:
-    "{{ result_var }}": "{{ _probe }}"
-  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
+    "{{ result_var }}": "{{ (_probe_v if (_probe_v is defined) else _probe) }}"

roles/web-app-xwiki/templates/docker-compose.yml.j2

@@ -11,9 +11,9 @@
     volumes:
       - "{{ XWIKI_HOST_CONF_PATH }}:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg"
       - "{{ XWIKI_HOST_PROPERTIES_PATH }}:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties"
-      - "{{ XWIKI_HOST_CONF_PATH }}:/usr/local/xwiki/xwiki.cfg"
-      - "{{ XWIKI_HOST_PROPERTIES_PATH }}:/usr/local/xwiki/xwiki.properties"
-      - 'data:/usr/local/xwiki'
+      - "{{ XWIKI_HOST_CONF_PATH }}:{{ [XWIKI_DOCK_DATA_DIR, 'xwiki.cfg'] | path_join }}"
+      - "{{ XWIKI_HOST_PROPERTIES_PATH }}:{{ [XWIKI_DOCK_DATA_DIR, 'xwiki.properties'] | path_join }}"
+      - 'data:{{ XWIKI_DOCK_DATA_DIR }}'
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}

roles/web-app-xwiki/templates/installjobrequest.xml.j2

@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  InstallRequest for the XWiki Extension Manager.
-
-  We MUST render from the computed `extensions_to_install` list
-  (not from raw feature flags), otherwise an empty <list/> is sent
-  and nothing is installed.
--->
-<jobRequest xmlns="http://www.xwiki.org">
-  <request class="org.xwiki.extension.job.InstallRequest">
-    <extensions>
-      {% for ext in extensions_to_install %}
-      <extensionId>
-        <id>{{ ext.id }}</id>
-        <version>{{ ext.version }}</version>
-      </extensionId>
-      {% endfor %}
-    </extensions>
-    <namespaces>
-      <!-- Install on the main wiki -->
-      <string>wiki:xwiki</string>
-    </namespaces>
-    <installDependencies>true</installDependencies>
-    <interactive>false</interactive>
-    <verbose>true</verbose>
-  </request>
-</jobRequest>

roles/web-app-xwiki/templates/xwiki.cfg.j2

@@ -17,7 +17,9 @@ xwiki.authentication.ldap.update_user=1
 {% else %}
 xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl
 {% endif %}
+
 {% if xwiki_superadmin_enabled_switch | bool %}
 # ---- Superadmin must live in xwiki.cfg (not in xwiki.properties)
 xwiki.superadminpassword={{ XWIKI_SUPERADMIN_PASSWORD }}
+xwiki.superadmin=1
 {% endif %}

roles/web-app-xwiki/templates/xwiki.properties.j2

@@ -17,20 +17,17 @@ oidc.groups.claim={{ XWIKI_OIDC_GROUPS_CLAIM }}
 oidc.groups.mapping=XWiki.XWikiAdminGroup={{ XWIKI_OIDC_ADMIN_PROVIDER_GROUP }}
 {% endif %}
 
-############################################
-# Distribution Wizard (bootstrap)
-# Render this block only during bootstrap when we temporarily enable the superadmin.
-{% if xwiki_superadmin_enabled_switch | bool %}
 # Start DW automatically and non-interactively
 distribution.automaticStartOnMainWiki=true
 distribution.automaticStartOnWiki=true
 distribution.job.interactive=false
 # Default flavor for main wiki
 distribution.defaultUI=org.xwiki.platform:xwiki-platform-distribution-flavor-mainwiki
-{% endif %}
+distribution.skip=false
+distribution.wizard.enabled=true
 
 # Persist data in the Docker volume
-environment.permanentDirectory=/usr/local/xwiki/data
+environment.permanentDirectory={{ XWIKI_DOCK_DATA_DIR }}
 
 # Make sure Extension Manager can fetch artifacts.
 # IMPORTANT:

roles/web-app-xwiki/vars/main.yml

@@ -15,6 +15,7 @@ XWIKI_HOSTNAME:                       "{{ container_hostname }}"
 ## Paths
 XWIKI_HOST_CONF_PATH:                 "{{ [docker_compose.directories.config, 'xwiki.cfg'] | path_join }}"
 XWIKI_HOST_PROPERTIES_PATH:           "{{ [docker_compose.directories.config, 'xwiki.properties'] | path_join }}"
+XWIKI_DOCK_DATA_DIR:                  "/usr/local/xwiki"
 
 ## Docker
 XWIKI_IMAGE_CUSTOM:                   "xwiki_custom"
@@ -39,8 +40,9 @@ XWIKI_SUPERADMIN_USERNAME:            "superadmin"
 
 # REST endpoint (local inside container)
 XWIKI_REST_BASE:                      "{{ ['http://127.0.0.1:'~ XWIKI_HOST_PORT, '/rest/'] | url_join  }}"
-XWIKI_REST_EXTENSION_INSTALL:         "{{ [XWIKI_REST_BASE, 'jobs'] | url_join  }}"
 XWIKI_REST_XWIKI:                     "{{ [XWIKI_REST_BASE, 'wikis/xwiki'] | url_join  }}"
+XWIKI_REST_XWIKI_PAGES:               "{{ [XWIKI_REST_BASE, 'wikis/xwiki/spaces/XWiki/pages'] | url_join }}"
+XWIKI_REST_EXTENSION_INSTALL:         "{{ [XWIKI_REST_BASE, 'jobs'] | url_join }}"
 
 # Extension IDs + Versions (pin versions explicitly)
 XWIKI_EXT_LDAP_ID:                    "org.xwiki.contrib.ldap:ldap-authenticator"