incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Foster Schucker <Fos...@Schucker.org>
Subject Re: How to hide content for some users
Date Tue, 03 Jul 2012 11:08:44 GMT
I had written a plugin that would allow partial page displays to be 
shown, I think this is what you are looking for.

If it is, let me know and I'll mail you the code.  Its for a very old 
version of JSPWiki, when the base went off on a different direction for 
page auth it was too hard to fit into the new scheme.

Foster

--------
AuthPlugin

The purpose of the Auth Plugin is to allow page level security for 2.0.x 
JSPWiki. It is an Authorization plugin, it uses Container Managed 
Security 
<http://localhost:8080/schucker/Wiki.jsp?page=ContainerManagedSecurity> 
to perform the Authentication (and to help control access to some of the 
JSP files) (Also see Auth Plugin Detail 
<http://localhost:8080/schucker/Wiki.jsp?page=AuthPluginDetail>) (The 
Auth Test <http://localhost:8080/schucker/Wiki.jsp?page=AuthTest> page 
has some samples)

[{Auth allow='admin' deny='Janne' edit='editor'}]


        Parameters

*allow* (optional)[1] 
<http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-1>
    a list of user names and/or roles that have access to this page[1]
    <http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-1>.


*deny* (optional)
    a list of user names and/or roles that should be denied access to
    this page

*edit* (optional)
    a list of user names and/or roles that have edit access to this page

In the example given, everyone in the admin group has access, except for 
Janne and those people that have the 'editor' role can edit this page.

------------------------------------------------------------------------


        How to use it

There are two different ways to use Auth. First is to control the 
viewing of a block of text inside of a page:

Everyone will see this text
[{Auth allow='editor'

Only those people with ''editor'' roles will see this text
}]
This text will also be seen by everyone.

Only the text inside the body of the Auth plugin is controlled. The 
plugin can be used any number of times on a page. (Plugins can be 
nested, so you can do:

Everyone will see this text
[{Auth allow='editor'

Only those people with ''editor'' roles will see this text
[{Auth allow='admin'

Only those people with ''editor'' and ''admin'' roles will see this text
}]
Only ''editors'' will see this line
}]
This text will also be seen by everyone.

(A common error is not having the blank line after the Auth plugin and 
not having matched plugin closes)

The second way is to control access to the entire page.

[{Auth allow='ATeam' deny='BA' edit='ATeam'}]

Plane trip for next week is on, I love it when a plan comes together!

Everyone on the ATeam except for BA can see this page, and all of the 
ATeam can edit this page.
------------------------------------------------------------------------


        How it works

Auth Plugin -- Simply it takes the parameters passed and looks in the 
user and role list to see if they match[2] 
<http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-2>:

if (checkthisguy.isEqualIgnoreCase(request.getRemoteUser()) {..}
if (req.isUserInRole(checkthisguy)) {..}

If there is not a match for the allow a AssertionError("Not allowed to 
see this page") is thrown. This error is caught by the upper most layer 
of the container, and it will produce an error page with this message on 
it. (Tested with Resin and Weblogic, your container may or may not work)

If the user is allowed to view the page then an entry is also made in 
the session variable *pageview*. A similar entry is made in *pageedit* 
if they can edit the page.

In most cases the user will not be able to click on the /Edit this page/ 
link since if they can's see the page, they are looking at an error page 
that does not have a link on it.

While */Security through Obscurity/* works for some, some users may 
elect to put the entire URL in by hand. To protect against this you will 
need to edit your Edit.jsp file to check and see if they are allowed to 
edit this file. And while you are at it, you should also change the 
Diff.jsp and PageInfo.jsp files.

Finally, things like Recent Changes will still find the /hidden/ pages 
for a user. This means that they will know there is a page called 
*TopSecretPlans* even though they can't view it. If this is a concern to 
you, you can do one of two things:

 1. Call your /hidden/ pages something like *Hidden_TopSecretPlans* and
    change your Recent Changes to ignore files that start with Hidden_.
 2. Use the new 2.1 Wiki with the full featured Authorization And
    Authentication.

------------------------------------------------------------------------


        Disclaimer

This is how I do it, you may not get it to work without some (high) 
level of effort on your part. I can try to help you, but plan to spend 
some time, this is not just a plugin you can drop in and use -- 
FosterSchucker 
<http://localhost:8080/schucker/Wiki.jsp?page=FosterSchucker>
------------------------------------------------------------------------


        3 August 2004

I've uploaded a new version that fixes a bug if there are many roles in 
the list. I've also made it a static method and move all of the null 
checking,wildcards,etc. into the method *userInList*. This allows Auth 
to be safely called from other places (like tags, pages, etc.)

I've uploaded the source to the Auth plugin and the source for AuthTag, 
if you want a compiled version (jar file) let me know.

New exposed method

public static boolean userInList(HttpServletRequest request, String accesslist, String username)

sample call

if (Auth.userInList(request,"editor,admin,superuser",null) { ... }

Will check to see if this user is in any of those roles.

TLD for AuthTag

   <tag>
     <name>Auth</name>
     <tagclass>com.ecyrd.jspwiki.tags.AuthTag</tagclass>
     <bodycontent>JSP</bodycontent>
     <attribute>
        <name>allow</name>
        <required>false</required>
     </attribute>
     <attribute>
        <name>deny</name>
        <required>false</required>
     </attribute>
   </tag>

------------------------------------------------------------------------
[#1]The default in the code is to deny access to a page by default. 
While the allow parameter is not /required/ it's a good idea to have it 
in there, you can make a page that no user can see.
[#2]The site Administrator is still responsible for putting the user, 
password and role(s) into the system.

Category Third Party Plugin 
<http://localhost:8080/schucker/Wiki.jsp?page=CategoryThirdPartyPlugin>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message