incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roberto Venturi" <Ro...@Mercurio.It>
Subject JSPWiki and WebSphere
Date Thu, 02 Aug 2012 14:16:30 GMT
Hi,
may be I'll be the only mad-boy who wants ("have to") run JSPWiki on  
IBM WebSphere using custom authentication. In any case here is what I  
discovered.

In the class org.apache.wiki.auth.AuthorizationManager there is a  
routine called checkStaticPermission
and
in the class org.apache.wiki.auth.SecurityVerifier there is a routine  
called verifyStaticPermission.
In both them there is a check (inside a try .. catch block)) for  
JVM-wide security policy and, if it fails (catch an exception), a test  
on local policy.

The problematic code is
"AccessController.checkPermission( permission );"
where "permission" is a parameter to the routine (final Permission  
permission).

In the websphere instances I could test (6.1 without security & 7.0  
with security) the code "AccessController.checkPermission( permission  
);" never throws exception so the routine always "return Boolean.TRUE"  
and local policies are never tested. The result is that everybody can  
do anything (edit, rename, delete, ..). Putting a nice "//" in front  
of the "return Boolean.TRUE" makes the magical change and JSPWiki  
works as desired (only authenticathed users can make changes)

May be there is some kind of configuration to apply to websphere but  
I'ave not found it.

So I ask for a patch in the code (guided by a configuration parameter)  
to skip JVM-wide security policy and go directly to local ones;  
something like
   if (configuratedForJVMSecurity) {
     ... try... catch block
   }


I'm new to "team programming" so this is an "ask for" but if someone  
tell me how to change the code (how to spread the patch I've done on  
my JSPWiki sources) I'll do it (happy to be allowed to do something  
world wide usefull :-))

Have nice days,
Roberto




--
Messaggio inviato da WebMail - http://www.mercurio.it
-------------------------------------------------------

Mime
View raw message