incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kalle Kivimaa <kalle.kivi...@iki.fi>
Subject Re: Anonymous user can see ACL'd pages
Date Sun, 25 Nov 2007 13:48:16 GMT
Yes, that is exactly what I'm trying to achieve. It would be nice to
see what the jspwiki.org logs say when an anonymous user tries to view
that page.

"Harry Metske" <harry.metske@gmail.com> writes:

> Do you mean something like this :
>
> http://www.jspwiki.org/wiki/PermTest
>
> This page has the following text, and is not viewable by anonymous users:
>
> [{ALLOW edit metskem}]
> [{ALLOW view Asserted}]
>
> You should not be able to see the source of this page !
>
> Harry
>
> 2007/11/25, Kalle Kivimaa <kalle.kivimaa@iki.fi>:
>>
>> Yes, because I want *most* of my wiki to be visible to everybody, and
>> I understood that an ACL takes precedence over the policy file.
>>
>> From http://doc.jspwiki.org/2.4/wiki/Security
>> "By default, wiki pages do not have access control lists. When a page
>> doesn't have an ACL, the default security policy for the page
>> applies."
>>
>> I read that as saying that the security policy is *only* used if there
>> is no ACL.
>>
>> Janne Jalkanen <Janne.Jalkanen@ecyrd.com> writes:
>>
>> > Um. You're granting read permissions to Anonymous in your policy file.
>> >
>> > /Janne
>> >
>> > On 25 Nov 2007, at 14:47, Kalle Kivimaa wrote:
>> >
>> >> OK, after finally getting my Tomcat to actually use the security
>> >> policy correctly, I still have the problem of the page ACL's not being
>> >> used. The JAAS config file is loaded correctly, as is the policy file
>> >> (policy file access restrictions work correctly).
>> >>
>> >> Any ideas what I'm doing wrong?
>> >>
>> >> Page header:
>> >> [{ALLOW view Asserted}]
>> >>
>> >> Policy file:
>> >> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>> >>     permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> >> "*:*", "view";
>> >>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>> >> "*", "editPreferences";
>> >>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>> >> "*", "editProfile";
>> >>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>> >> "*", "login";
>> >> };
>> >>
>> >> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
>> >>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>> >> "*", "login";
>> >> };
>> >>
>> >> Log file:
>> >> 2007-11-25 14:42:58,883 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://
>> >> localhost:8180/kalle/Wiki.jsp - Do we need to log the user in? false
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp
>> >> kalle:http://localhost:8180/kalle/Wiki.jsp - page=TaloInfo null
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.WikiSession kalle:/kalle/Wiki.jsp kalle:http://
>> >> localhost:8180/kalle/Wiki.jsp - Looking up WikiSession for NULL
>> >> HttpRequest: returning guestSession()
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://
>> >> localhost:8180/kalle/Wiki.jsp - Creating WikiContext for session ID=
>> >> (null); target=TaloInfo
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://
>> >> localhost:8180/kalle/Wiki.jsp - Do we need to log the user in? false
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.parser.JSPWikiMarkupParser kalle:/kalle/Wiki.jsp
>> >> kalle:http://localhost:8180/kalle/Wiki.jsp - page=TaloInfo, ACL =
>> >> ALLOW view Asserted
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp
>> >> kalle:http://localhost:8180/kalle/Wiki.jsp - Adding new acl entry
>> >> for view
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp
>> >> kalle:http://localhost:8180/kalle/Wiki.jsp -   user = Asserted:
>> >> (("com.ecyrd.jspwiki.auth.permissions.PagePermission","kalle:TaloInfo"
>> >> ,"view"))
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.parser.JSPWikiMarkupParser kalle:/kalle/Wiki.jsp
>> >> kalle:http://localhost:8180/kalle/Wiki.jsp -   user = Asserted:
>> >> (("com.ecyrd.jspwiki.auth.permissions.PagePermission","kalle:TaloInfo"
>> >> ,"view"))
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.WikiSession kalle:/kalle/Wiki.jsp kalle:http://
>> >> localhost:8180/kalle/Wiki.jsp - Looking up WikiSession for NULL
>> >> HttpRequest: returning guestSession()
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://
>> >> localhost:8180/kalle/Wiki.jsp - Creating WikiContext for session ID=
>> >> (null); target=TaloInfo
>> >> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://
>> >> localhost:8180/kalle/Wiki.jsp - Do we need to log the user in? false
>> >> 2007-11-25 14:42:58,889 [http-8180-Processor22] DEBUG
>> >> com.ecyrd.jspwiki.WikiEngine kalle:/kalle/Wiki.jsp kalle:http://
>> >> localhost:8180/kalle/Wiki.jsp - Page TaloInfo rendered, took
>> >> 0:00:00.005
>> >>
>> >> --
>> >> * Sufficiently advanced magic is indistinguishable from technology
>> >> (T.P)  *
>> >> *           PGP public key available @ http://www.iki.fi/
>> >> killer           *
>> >
>> >
>>
>> --
>> * Sufficiently advanced magic is indistinguishable from technology (T.P
>> )  *
>> *           PGP public key available @ http://www.iki.fi/killer
>> *
>>
>
>
>
> -- 
> met vriendelijke groet,
> Harry Metske
> Telnr. +31-548-512395
> Mobile +31-6-51898081

-- 
* Sufficiently advanced magic is indistinguishable from technology (T.P)  *
*           PGP public key available @ http://www.iki.fi/killer           *

Mime
View raw message