incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carlson, Eric R" <eric.carl...@kroger.com>
Subject RE: Allow tag does not restrict access
Date Fri, 10 Apr 2009 16:59:51 GMT
Harry,

        The page is very simple.  Here it is :

-----------------------------

[{ALLOW view #955203}]
[{ALLOW edit #955203}]

Only #955203 should be allowed to view or edit this page.

----------------------------------

        I realize the view and edit are sort of redundant, but I figured it should still work.

                                                Eric R. Carlson
                                                        Eric.Carlson@kroger.com
                                                        (513)-387-7739


-----Original Message-----
From: Harry Metske [mailto:harry.metske@gmail.com]
Sent: Friday, April 10, 2009 12:54 PM
To: jspwiki-user@incubator.apache.org
Subject: Re: Allow tag does not restrict access

Eric,Bhavani,

could you also paste the relevant parts of the page you try to protect ?
So basically the ALLOW tag you are using .

Harry

2009/4/10 Carlson, Eric R <eric.carlson@kroger.com>

> I've been having the exact same problem, and haven't been making any
> headway on it, so I've gone over the FAQ to see if I can find the cause.
>
> First, I'm running JSPWiki 2.8.1.
>
> I have two user-ids I can access.   One is defined as an administrator, the
> second one isn't.  I was able to verify this by logging on to both of them,
> going into 'My Prefs', and clicking on the 'Profile' tab.  UserA shows :
> Roles - All, Authenticated; Groups - None.   UserB shows : Roles - All,
> Authenticated; Groups - Admin.
>
> I am not currently able to run the SecurityConfig.jsp application (see my
> other message), so I can't include the output here.
>
> I have enabled the security log, and set the logging level to DEBUG.
> While I see messages in the log each time I log in, I don't see any sort of
> messages in the security when I access a new page.  I'm not sure if I should
> expect to see such messages, but the FAQ says to check the security log, and
> I don't see anything there, other than logon messages.
>
> I've also cleared all cookies and temporary internet files, and still get
> the same problem.
>
> Here's what I have configured in jspwiki.policy :
>
> --------------------------------
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
> "view";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile"
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
>  };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
> "modify,rename";
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
> "view";
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
>  };
>
> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> -------------------------------
>
>                                                Eric R. Carlson
>
> Eric.Carlson@kroger.com
>
> -----Original Message-----
> From: Harry Metske [mailto:harry.metske@gmail.com]
> Sent: Friday, April 10, 2009 4:23 AM
> To: jspwiki-user@incubator.apache.org; bhanu0608@yahoo.com
> Subject: Re: Allow tag does not restrict access
>
> Since we get quite a few of these questions, I started a FAQ on
> Authorization:
>
> http://www.jspwiki.org/wiki/FAQAuthorization
>
> feel free to add content........
>
> Harry
>
> 2009/4/9 Bhavani <bhanu0608@yahoo.com>
>
> > HI,
> >
> > We recently started implementing jspwiki. JAAS security is enabled and
> > everything works fine. But I am not able to control access to page edits
> > using the allow tag. Also everyone is able to edit the admin group. Even
> > people who are not members of the group can edit the group. So please
> help
> > me with the following questions.
> >
> > 1. What am I missing that the allow tag is not working as it should be ?
> > 2. Is there a way to control non-members from editing the groups?
> >
> > -Bhavani
> >
> >
> >
> >
> >
>
> This e-mail message, including any attachments, is for the sole use of the
> intended recipient(s) and may contain information that is confidential and
> protected by law from unauthorized disclosure. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>

This e-mail message, including any attachments, is for the sole use of the intended recipient(s)
and may contain information that is confidential and protected by law from unauthorized disclosure.
Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy all copies of the
original message.
Mime
View raw message