incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-257) property to switch off get password and join JSPWiki lines on login page
Date Sat, 07 Mar 2009 19:30:56 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679906#action_12679906
] 

Andrew Jaquith commented on JSPWIKI-257:
----------------------------------------

I have some problems with this patch. The biggest issue is that the login name and password
are essentially properties of the UserProfile (and thus of the UserDatabase), not of the LoginModule.
So those properties should really be called jspwiki.userDatabase.*

The other issue -- related -- is that, for a while, JSPWiki has needed to have a better way
to configure who can change what attributes for a given user. This need has manifested itself
in several previous discussions, for example:
- Whether user properties read from LDAP should be read-only or mutable. (More than just the
password: think full name, e-mail address)
- Whether users should be allowed to change their password (this example)
- Whether users should be able to see the names of other users enrolled on the wiki
- Making it possible for administrators to batch-enroll many users

The common thread among these requests is whether the user is "allowed" to read change a particular
profile property, because of security or because of the infrastructure. What I don't want
to do is have "canChange.xxxx" properties multiplying like rabbits for every property we want
to secure. 

So here's what we need: a custom Permission class, like GroupPermission, that allows us to
specify what profile properties a user should be allowed to change. For example, you might
add a line to the Authenticated role section of jspwiki.policy file a grant block that looks
like this: 

grant org.apache.wiki.auth.permissions.ProfilePermission "*:<self>", "view,edit"

The Admin role might have a grant like this: 

grant org.apache.wiki.auth.permissions.ProfilePermission "*:*", "view,edit"

...which would allow them to see and change anyone's profile properties.

We would also either extend the PermissionTag class, or create a new ProfilePermissionTag
class that allows permission checks to be done easily.

Greg, I know seeing comments like this aren't helpful to you in the short term, because you've
got an immediate problem to solve. But I would like to try and tackle a bunch of related items
at the same time, and that might take a little longer. :)

> property to switch off get password and join JSPWiki lines on login page
> ------------------------------------------------------------------------
>
>                 Key: JSPWIKI-257
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-257
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>            Reporter: J├╝rgen Weber
>             Fix For: 3.0
>
>         Attachments: GJK-20090304-v2.8.patch, GJK-20090304.patch, jspwiki-257-add-properties.patch
>
>
> If you use an external authentication system like LDAP (e.g. via container managed security)
you probably do not want, that your users can change their passwords from the JSPWiki login
page (or even create new accounts).
> There should be a jspwiki property to prevent the 
> Lost your password?  Get a new one!
> Don't have an account ? Join JSPWiki now! 
> lines on the login page.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message