incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrico Maria Carmona" <e.carm...@hsgerardo.org>
Subject R: R: Help - Authorization
Date Mon, 27 Apr 2009 13:31:38 GMT
hmm..
not sure if <role-name>*</role-name> work.

You can try removing
           <url-pattern>/Edit.jsp</url-pattern>
           <url-pattern>/Comment.jsp</url-pattern>
from 
   	<web-resource-collection>
           <web-resource-name>Authenticated area</web-resource-name>

the only elements needed here are /Delete.jsp and /Login.jsp:

   (from http://doc.jspwiki.org/2.4/wiki/Security )
   When JSPWiki starts up, it parses the JSPWiki's web application
descriptor (WEB-INF/web.xml) 
   and identifies whether certain constraints exist. Specifically, it checks
to see if 
   a logical role is required to access /Delete.jsp and Login.jsp. 
   If you have uncommented the <security-constraint> block, this will be
true, 
   and JSPWiki will conclude that is should use container authentication
instead of custom.


E.g. my web.xml is pretty loose and jspwiki.policy manage the permissions:

--------------------
   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Administrative Area</web-resource-name>
           <url-pattern>/Delete.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
	   <role-name>CONTAINER_WIKI_ADMIN_GROUP</role-name>
       </auth-constraint>
   </security-constraint>
      
   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Authenticated area</web-resource-name>
           <url-pattern>/Login.jsp</url-pattern>
       </web-resource-collection>

       <web-resource-collection>
           <web-resource-name>Read-only Area</web-resource-name>
           <http-method>DELETE</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <auth-constraint>
	   <role-name>CONTAINER_WIKI_ADMIN_GROUP</role-name>
	   <role-name>CONTAINER_USER</role-name>
       </auth-constraint>

   </security-constraint>
-------------------

> -----Messaggio originale-----
> Da: lgilardoni61@gmail.com [mailto:lgilardoni61@gmail.com] 
> Inviato: lunedì 27 aprile 2009 14.51
> A: jspwiki-user@incubator.apache.org
> Oggetto: Re: R: Help - Authorization
> 
> 
> Enrico Maria Carmona ha scritto:
> > Hi Luca
> >
> > What about "Web Container Restrictions" section in 
> SecurityConfig.jsp?
> > Does Authenticated (or Anonymous) role have Edit permission 
> in web.xml?
> >
> > Enrico
> >
> >   
> That's odd indeed. I see:
> Action 	Page 	Roles
> Anonymous 	WikiLexAuthor 	* 	WikiLexAdmin 	Admin 	
> Authenticated
> View pages 	/Wiki.jsp 	  	  	  	  	
>   	 
> Comment on existing pages 	/Comment.jsp 	  	  	
>   	  	  	 
> Edit pages 	/Edit.jsp 	  	  	  	  	
>   	 
> Upload attachments 	/Upload.jsp 	  	  	  	
>   	  	 
> Create a new group 	/NewGroup.jsp 	  	  	  	
>   	  	 
> Rename an existing page 	/Rename.jsp 	  	  	
>   	  	  	 
> Delete pages 	/Delete.jsp 	  	  	  	  	
>   	 
> 
> 
> Note that I removed admin/authenticated constraints, 
> basically allowing 
> anyone to read, as any user in my case is web authenticated
> and after that I need to have everyone with read access at 
> least (I was 
> forced to do this as otherwise the rss in my case ended up always
> empty ... but this was a check I completely forgot and 
> possbly messing 
> up things - I will check)
> 
>        <auth-constraint>
> <!--  changed
>            <role-name>Admin</role-name>
>            <role-name>Authenticated</role-name>
> -->
>            <role-name>*</role-name>
>        </auth-constraint>
> 
> Btw, by I found a workaround by using
> 
> com.ecyrd.jspwiki.auth.authorize.Role
> 
> after having added my Author group also to the web container 
> groups (completely unuseful but making everything working). 
> 
> 
> >
> >   
> >> -----Messaggio originale-----
> >> Da: lgilardoni61@gmail.com [mailto:lgilardoni61@gmail.com] 
> >> Inviato: lunedì 27 aprile 2009 11.23
> >> A: jspwiki-user@incubator.apache.org
> >> Oggetto: Help - Authorization
> >>
> >>
> >> Hi, I have a problem with authorization. What I'm trying to do:
> >>
> >> 1) JSPWiki 2.8.1 (last patches - should be equiv to 2.8.2
> >> 2) Tomcat with web contaniner authorization and User/group db 
> >> - relying 
> >> on a third part user/group sets of tables - already cehcked 
> >> accessibles:
> >> INFO  [27 Apr 2009 11:11:20,843 
> >> com.ecyrd.jspwiki.auth.authorize.GroupManager:initialize@241]: 
> >> Authorizer GroupManager initialized successfully; loaded 
> 10 group(s).
> >> 3) policy: any logged in user can see
> >> grant principal com.ecyrd.jspwiki.auth.authorize.Role 
> >> "Authenticated" {
> >>     permission 
> >> com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", 
> >> "view";
> >> };
> >> 4) one user from a container group (admin) and users from 
> application 
> >> group WikiLexAdmin can do anything:
> >>
> >> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal 
> "WikiLexAdmin" {
> >>     permission 
> com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> >> };
> >> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
> >>     permission 
> com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> >> };
> >> // note: cannot say grant principal 
> >> com.ecyrd.jspwiki.auth.authorize.Role "WikiLexAdmin" as 
> this is NOT a 
> >> container group
> >>
> >> 5) but only people in group WikiAuthor can modify:
> >> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal 
> >> "WikiLexAuthor" {
> >>     permission 
> >> com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", 
> >> "modify,rename";
> >>     permission 
> >> com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", 
> >> "view";
> >>     permission 
> >> com.ecyrd.jspwiki.auth.permissions.WikiPermission "*:*", 
> >> "createPages";
> >> };
> >>
> >> Now,  user from (container) group Admin can do  anything.  
> Users from 
> >> groups  WikiLexAdmin or WikiLexAuthor can only read - in 
> spite, btw, 
> >> admin/SecurityConfig.jsp
> >> say everything should be ok:
> >>
> >> Permission 	All 	Anonymous 	Asserted 	
> >> Authenticated 	WikiLexAdmin 
> >> Admin 	WikiLexAuthor
> >> v 	e 	m 	r 	d 	v 	e 	m 	
> >> r 	d 	v 	e 	m 	r 	d 	v 	
> >> e 	m 	r 	d 	v 	e 
> >> m 	r 	d 	v 	e 	m 	r 	d 	
> >> v 	e 	m 	r 	d
> >> PagePermission "WikiSandBox:Main" 	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	 
> >> PagePermission "WikiSandBox:Index" 	  	  	  	
> >>   	  	  	  	  	  	  
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  	  	  	 
> >> PagePermission "WikiSandBox:GroupTest" 	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	  	 
> >> PagePermission "WikiSandBox:GroupAdmin" 	  	  	
> >>   	  	  	  	  
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	  	  	 
> >> GroupPermission "WikiSandBox:Admin" 	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	 
> >> GroupPermission "WikiSandBox:TestGroup" 	  	  	
> >>   	  	  	  	  
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	  	  	 
> >> GroupPermission "WikiSandBox:Foo" 	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  	  	  	
> >>   	  	  	  	  	  
> >>   	  	  	 
> >> WikiPermission "WikiSandBox","createGroups" 	  	  	
> >>   	  	  	  	 
> >> WikiPermission "WikiSandBox","createPages" 	  	  	
> >>   	  	  	  	 
> >> WikiPermission "WikiSandBox","login" 	  	  	  	
> >>   	  	  	 
> >> WikiPermission "WikiSandBox","editPreferences" 	  	
> >>   	  	  	  	  	 
> >> WikiPermission "WikiSandBox","editProfile" 	  	  	
> >>   	  	  	  	 
> >> AllPermission "WikiSandBox" 	  	  	  	  	
> >>   	  	 
> >>
> >>
> >> any idea of what could i'm doing wrong?
> >>
> >> Any help appreciated.
> >>
> >> Luca
> >>
> >>     
> >
> >   
> 
> 


Mime
View raw message