incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joerg Meyer" <jme...@pts-consulting.jp>
Subject RE: Permissions
Date Fri, 28 Mar 2008 01:28:18 GMT
Janne,

Yes indeed :)

There is a way of registering cookies with a domain rather than with a
specific server. I.e. live.jspwiki.com and sandbox.jspwiki.com could use
cookies for jspwiki.com.
This way live and sandbox can share the cookies. However for intranet it
is a pain to always have to type the full URL.
You can also add domain trust with javascript. So if you add like domain
trust for sandbox.jspwiki.uk inside a page of sandbox.jspwiki.jp then
the uk site can see the jp cookies. Again that doesn't help with
shorthand URL's.

And both are irrelevant if you stick with the fully qualified domain
name for the server rather than server aliases.

Cheers,
Joerg

-----Original Message-----
From: Janne Jalkanen [mailto:Janne.Jalkanen@ecyrd.com] 
Sent: Friday, March 28, 2008 3:21 AM
To: jspwiki-user@incubator.apache.org
Subject: Re: Permissions


Yupyup, that's a well-known issue which happens due to the browser
security model: In your case machine called "wiki" has no access to the
cookies from the machine "iruka", and therefore login must be done again
(because there is no way to know that this is the same user).  There's
no way around this - this is an important security feature of the
browsers (you do *not* want your daily comic website to have access to
your internet banking cookies... ;-)

/Janne

On 26 Mar 2008, at 06:34, Joerg Meyer wrote:
> I am not sure if this will solve the problem, but we had a while ago a

> double login issue as well.
> Basicall when your wiki has two different "locations" then it will 
> occasionally require two logins.
>
> The server our wiki is setup has several aliases but after the login 
> the wiki will relocate to its configuered location 
> (jspwiki.properties). If the domain/server name is different then the 
> wiki requires a second login.
>
> i.e.
> http://iruka/wiki login
> Relocate to http://wiki/wiki
> Have to login again
>
> Hope this helps,
> Joerg
>
> -----Original Message-----
> From: Derek Rothwell [mailto:derek@drothwell.co.uk]
> Sent: Sunday, March 23, 2008 4:24 AM
> To: jspwiki-user@incubator.apache.org
> Subject: Permissions
>
> I want to set up permissions so that everybody has to log in to make 
> any changes, and to login for any revisions to be noted.
>
> With the config below:
>
> - when a user has a cookie, they can make a change, but then find it 
> isn't saved. The page revision is updated even though no change has 
> been made.
> It's the page revision that's the problem.
> - when a user has a cookie, JSPWiki detects who they are. They login 
> and find that they move to an "anonymous guest" state. They login a 
> second time and then they are properly asserted. It's the second login

> that's the problem.
>
> Please can you tell me how to correct this behaviour.
>
> I'm using JSPWiki 2.6.1
>
> Derek
>
> // The first policy block is extremely loose, and unsuited for 
> public-facing wikis.
> // Anonymous users are allowed to view, create, edit and comment on 
> all pages // (except group pages). Anonymous users can also register 
> with the wiki; // to edit their profile after registration, they must 
> log in.
> //
> // Note: For Internet-facing wikis, you are strongly advised to remove

> the // lines containing the "edit" and "createPages" permissions; this

> will make // the wiki read-only for anonymous users.
>
> grant signedBy "jspwiki",
>   principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>     permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*",
> "view";
> //    permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*",
> "edit";
> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
> "*",
> "createPages";
> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
> "*",
> "editPreferences";
>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "editProfile";
>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "login"; };
>
>
> // This next policy block is also pretty loose. It allows users who 
> claim to // be someone (via their cookie) to view, create, edit and 
> comment on all pages // (except group pages). Anonymous users can also

> register with the wiki; // to edit their profile after registration, 
> they must log in.
>
> grant signedBy "jspwiki",
>   principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> //    permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*",
> "edit";
> //    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*",
> "view";
> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
> "*",
> "createPages";
> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
> "*",
> "editPreferences";
>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "editProfile";
>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "login"; };
>
>
> // Authenticated users can do most things: view, create, edit and // 
> comment on all pages; upload files to existing ones; create and edit 
> // wiki groups; and rename existing pages. Authenticated users can 
> register // with the wiki, edit their own profiles, and edit groups 
> they create.
>
> grant signedBy "jspwiki",
>   principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>     permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*",
> "modify,rename";
>     permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*",
> "view";
>     permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "createPages,createGroups";
>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "editPreferences";
>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "editProfile";
>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "login"; };
>


Mime
View raw message