incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Dahl <d...@goshawk.com>
Subject Re: Problem with custom Authorizers under JSPWiki 2.8.0
Date Mon, 22 Dec 2008 20:54:15 GMT
Steve Dahl wrote:
> Under JSPWiki 2.6.4, we've replaced WebContainerAuthorizer with an 
> LDAPAuthorizer which implements JSPWiki roles in terms of LDAP groups.
>
> When I compile this for JSPWiki 2.8.0, and modify the 
> jspwiki.properties file to use it, our custom LDAPAuthorizer gets 
> initialized, and is sent findRole(), but it never seems to get sent 
> isUserInRole().
>
> If it's useful information, LDAPAuthorizer implements Authorizer (not 
> WebAuthorizer), and it implements isUserInRole() with this signature:
>
>> public boolean isUserInRole( WikiSession session, Principal role )
>
> Is there anything that has changed in Authorizers between 2.6.4 and 
> 2.8.0 that might explain this?

Looking deeper, it seems that in JSPWiki 2.6.X, WikiSession implemented 
injectRolePrincipals(), which initialized the session with whatever 
groups and roles the user belongs to. Groups are read from the group 
database, and Roles are read from the Authorizer.

In JSPWiki 2.8.X, injectRolePrincipals() has been replaced by 
injectGroupPrincipals(), which reads groups from the group database but 
doesn't use the Authorizer. What is the Authorizer used for now?

As a side note, I originally implemented LDAPAuthorizer as 
LDAPGroupDatabase. I ended up rejecting this approach because 
GroupManager assumes that the members of a Group can be read once when 
the Wiki is started, and that the Group's membership will only be 
modified by the Wiki. The problem with LDAP is that the group membership 
can be modified from outside, and the only way to update the wiki would 
be to manually restart it. The Authorizer was a better solution for our 
purposes, because if a user was added to the LDAP group, the Authorizer 
would reflect that change as soon as the user logged out and back in. 
Restarting the wiki is not necessary.


Mime
View raw message