incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <j...@apache.org>
Subject [jira] Created: (JSPWIKI-473) Authorizers not consulted at login
Date Thu, 22 Jan 2009 02:38:59 GMT
Authorizers not consulted at login
----------------------------------

                 Key: JSPWIKI-473
                 URL: https://issues.apache.org/jira/browse/JSPWIKI-473
             Project: JSPWiki
          Issue Type: Bug
          Components: Authentication&Authorization
    Affects Versions: 2.8.1, 2.8
         Environment: All
            Reporter: Andrew Jaquith
             Fix For: 2.8.2, 3.0


>From the jspwiki-dev list:

Steve Dahl wrote:
Under JSPWiki 2.6.4, we've replaced WebContainerAuthorizer with an LDAPAuthorizer which implements
JSPWiki roles in terms of LDAP groups.

When I compile this for JSPWiki 2.8.0, and modify the jspwiki.properties file to use it, our
custom LDAPAuthorizer gets initialized, and is sent findRole(), but it never seems to get
sent isUserInRole().

If it's useful information, LDAPAuthorizer implements Authorizer (not WebAuthorizer), and
it implements isUserInRole() with this signature:

public boolean isUserInRole( WikiSession session, Principal role )

Is there anything that has changed in Authorizers between 2.6.4 and 2.8.0 that might explain
this?

Looking deeper, it seems that in JSPWiki 2.6.X, WikiSession implemented injectRolePrincipals(),
which initialized the session with whatever groups and roles the user belongs to. Groups are
read from the group database, and Roles are read from the Authorizer.

In JSPWiki 2.8.X, injectRolePrincipals() has been replaced by injectGroupPrincipals(), which
reads groups from the group database but doesn't use the Authorizer. What is the Authorizer
used for now?

As a side note, I originally implemented LDAPAuthorizer as LDAPGroupDatabase. I ended up rejecting
this approach because GroupManager assumes that the members of a Group can be read once when
the Wiki is started, and that the Group's membership will only be modified by the Wiki. The
problem with LDAP is that the group membership can be modified from outside, and the only
way to update the wiki would be to manually restart it. The Authorizer was a better solution
for our purposes, because if a user was added to the LDAP group, the Authorizer would reflect
that change as soon as the user logged out and back in. Restarting the wiki is not necessary.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message