Return-Path: Delivered-To: apmail-incubator-jspwiki-dev-archive@locus.apache.org Received: (qmail 34393 invoked from network); 1 Dec 2008 20:58:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Dec 2008 20:58:03 -0000 Received: (qmail 33492 invoked by uid 500); 1 Dec 2008 20:58:14 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 33475 invoked by uid 500); 1 Dec 2008 20:58:14 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 33464 invoked by uid 99); 1 Dec 2008 20:58:14 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Dec 2008 12:58:14 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of prvs=Joseph.Hobbs=2143288d4@53.com designates 216.82.180.35 as permitted sender) Received: from [216.82.180.35] (HELO mailgw3.53.com) (216.82.180.35) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Dec 2008 20:56:44 +0000 DomainKey-Signature: s=main; d=53.com; c=simple; q=dns; h=X-IronPort-AV:Received:Received:Content-class: MIME-Version:X-MimeOLE:Subject:Date:Message-ID: X-MS-Has-Attach:X-MS-TNEF-Correlator:Thread-Topic: Thread-Index:From:To:Return-Path:X-OriginalArrivalTime: Content-Type:Content-Transfer-Encoding; b=E04O7xPvIU43cPB77sEtibNQ5I5aZ57F9DtONWmVvtZlXkx804EvLw9s bsIu6UVeAjooeLY+zqVXIA5bmOXWpWOpf3XGuE3xwAgwJcqythu2SWv/w 1DIPh8N6YEpW4MUNjPSu+rm89wFxQKVRejzOOasEuEJfcJfImF3+4EznZ E=; DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=53.com; i=Joseph.Hobbs@53.com; q=dns/txt; s=main; t=1228165071; x=1259701071; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Hobbs,=20Joseph"=20 |Subject:=20jspwiki.policy=20and=20java.policy|Date:=20Mo n,=201=20Dec=202008=2015:55:33=20-0500|Message-ID:=20<0EC 7CBBDCD234541BFC8F3A738F52C26047825A8@s1flokydce2k322.dm0 001.info53.com>|To:=20 |MIME-Version:=201.0|Content-Transfer-Encoding:=20quoted- printable; bh=2T+yv9WbI7+fYe/p2DYDua1TuvGQ33B1jHN1PctIpPs=; b=GBwSUzYgbaGxxUBrwvslM/1tq21e1SOQSZ+HOe1W300RNRLtP/Qs68qM V6HZWjmfIh2SygnOynL9OLWPP8IBs2SZPtC6NJt6fmrUr38wvyAQs3PyS GP5KgoqCHqPqzoDoXNMZeRm1VVBn7B8c3HIwSTo1P7jeoyjCGg1L1Q4rZ Y=; X-IronPort-AV: E=Sophos;i="4.33,698,1220241600"; d="scan'208";a="322261592" Received: from unknown (HELO s1cinohdce2k311.dm0001.info53.com) ([10.212.202.206]) by mailgw3.53.com with ESMTP/TLS/RC4-MD5; 01 Dec 2008 15:56:29 -0500 Received: from s1flokydce2k322.dm0001.info53.com ([10.212.202.30]) by s1cinohdce2k311.dm0001.info53.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 1 Dec 2008 15:56:23 -0500 Content-class: urn:content-classes:message MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 Subject: jspwiki.policy and java.policy Date: Mon, 1 Dec 2008 15:55:33 -0500 Message-ID: <0EC7CBBDCD234541BFC8F3A738F52C26047825A8@s1flokydce2k322.dm0001.info53.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: jspwiki.policy and java.policy Thread-Index: AclT9A77RjnimdwQQaq1T14fi1Cxyw== From: "Hobbs, Joseph" To: X-OriginalArrivalTime: 01 Dec 2008 20:56:23.0742 (UTC) FILETIME=[450F2DE0:01C953F7] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Hi All! New to the list, but not to JSPWiki. I've been using it internally for a few years, and just recently started digging into it deeper. Good stuff! I did run into one issue that confused me, and I was curious to get some else's take on it. I'm running IBM's WebSphere Application Server 6.1.0.15 running on AIX 5.3 and JSPWiki 2.6.4. WebSphere is using an LDAP Registry and I also have RSA's Cleartrust for Single Sign On configured within WebSphere. I've been successful in getting everything working (even SSO) with JSPWiki through Container Managed security. I was able to do all of this through modification of some XML (web.xml) and jspwiki.properties. One note... I do NOT have Java 2 security enabled (this is critical for later). The issue I've run into relates to JSPWiki and how it handles jspwiki.policy. Even though I've defined roles and the container is providing them, I'm still an admin. No matter what I do, I've got full privileges. I can do anything an admin does, even though I don't have the privileges per jspwiki.policy. Page ACL's don't seem to apply either. After digging into the issue, I discovered that JSPWiki wasn't even checking the policies defined within the jspwiki.policy file. Com.ecyrd.jspwiki.auth.AuthorizationManager.checkStaticPermission(WikiSe ssion,Permission) checks the JVM-wide security policy first, and only checks the local policy if the JVM-wide policy denies the action. Since I don't have Java Security enabled on the JVM, the JVM-wide policy will not deny ANY actions. So, all that leads me to my question. Don't take this as a dig or challenge. I've learned in my life that while I can't think of reasons, there are plenty out there. Just trying to understand the reasoning. This is especially true for me currently, as I'm still learning the JSPWiki codebase and don't have a great deal of background with java policies! Sooo.... Question: Why does the JVM-wide policy apply at this point? If JSPWiki is loading its own jspwiki.policy file, should we be deferring to the JVM-wide policy at all? That policy should be governing what my application can do to the system/etc, not what my users can do within the application. Will anything obvious break if I 'eliminate' the JVM policy check from AuthorizationManager? On a side note... I've tried enabling Java Security and was able to verify that the policies were being processed as expected. With that said, it's caused me some other pain that I'm still working through (mainly around the SSO component). I'm not looking for a quick fix here. I'm just curious as to why JVM-wide is even taken into account if JSPWiki is loading a local policy separate. I appreciate your time, as well as any responses! Thank you and have a good holiday! Joseph Hobbs Email : Joseph.Hobbs@53.com This e-mail transmission contains information that is confidential and may = be privileged. It is intended only for the addressee(s) named above. If y= ou receive this e-mail in error, please do not read, copy or disseminate it= in any manner. If you are not the intended recipient, any disclosure, copy= ing, distribution or use of the contents of this information is prohibited.= Please reply to the message immediately by informing the sender that the m= essage was misdirected. After replying, please erase it from your computer = system. Your assistance in correcting this error is appreciated.