jspwiki-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ajaqu...@apache.org
Subject svn commit: r900272 - in /incubator/jspwiki/trunk: ./ doc/ src/WebContent/WEB-INF/classes/ src/WebContent/admin/ src/WebContent/templates/default/ src/java/org/apache/wiki/action/ src/java/org/apache/wiki/auth/
Date Mon, 18 Jan 2010 03:37:47 GMT
Author: ajaquith
Date: Mon Jan 18 03:37:46 2010
New Revision: 900272

URL: http://svn.apache.org/viewvc?rev=900272&view=rev
Log:
SecurityConfig gets the Stripes treatment. Minor tweaks to SecurityVerifier to make it JSTL-friendly. SecurityConfig logic moves to AdminActionBean. Minor licensing doc tweaks per [JSPWIKI-544].

Added:
    incubator/jspwiki/trunk/doc/JSPWiki-544 IP process
    incubator/jspwiki/trunk/doc/LICENSE.jcr
    incubator/jspwiki/trunk/doc/LICENSE.slf4j
    incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java
Modified:
    incubator/jspwiki/trunk/ChangeLog
    incubator/jspwiki/trunk/LICENSE
    incubator/jspwiki/trunk/src/WebContent/WEB-INF/classes/CoreResources.properties
    incubator/jspwiki/trunk/src/WebContent/admin/SecurityConfig.jsp
    incubator/jspwiki/trunk/src/WebContent/templates/default/ProfileTab.jsp
    incubator/jspwiki/trunk/src/java/org/apache/wiki/action/EditActionBean.java
    incubator/jspwiki/trunk/src/java/org/apache/wiki/auth/SecurityVerifier.java

Modified: incubator/jspwiki/trunk/ChangeLog
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/ChangeLog?rev=900272&r1=900271&r2=900272&view=diff
==============================================================================
--- incubator/jspwiki/trunk/ChangeLog (original)
+++ incubator/jspwiki/trunk/ChangeLog Mon Jan 18 03:37:46 2010
@@ -1,3 +1,12 @@
+2010-01-17 Andrew Jaquith <ajaquith AT apache DOT org>
+
+        * 3.0.0-svn-199
+
+        * SecurityConfig gets the Stripes treatment. Minor
+        tweaks to SecurityVerifier to make it JSTL-friendly.
+        SecurityConfig logic moves to AdminActionBean.
+        Minor licensing doc tweaks per [JSPWIKI-544].
+
 2010-01-09 Andrew Jaquith <ajaquith AT apache DOT org>
 
         * 3.0.0-svn-198

Modified: incubator/jspwiki/trunk/LICENSE
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/LICENSE?rev=900272&r1=900271&r2=900272&view=diff
==============================================================================
--- incubator/jspwiki/trunk/LICENSE (original)
+++ incubator/jspwiki/trunk/LICENSE Mon Jan 18 03:37:46 2010
@@ -205,63 +205,66 @@
 
 Other libraries in this product include:
 
-LIBRARY										LICENSE FILE
+LIBRARY                                   LICENSE FILE
 ===================================================================================
-activation.jar								doc/LICENSE.cddl
-akismet-java-1.02.jar						doc/LICENSE.akismet
-commons-codec-1.3.jar						LICENSE
-commons-fileupload-1.2.1.jar				LICENSE
-commons-httpclient-3.0.1.jar				LICENSE
-commons-io-1.4.jar							LICENSE
-commons-lang-2.3.jar						LICENSE
-commons-logging-api.jar						LICENSE
-ecs.jar										LICENSE
-freshcookies-security-0.60.jar				LICENSE
-jakarta-taglibs-standard-1.1.2.jar			LICENSE
-jakarta-taglibs-jstl-1.1.2.jar				LICENSE
-jaxen.jar									doc/LICENSE.jaxen
-jdom.jar									doc/LICENSE.jdom
-jrcs-diff.jar								LICENSE
-jabsorb-1.3.jar								LICENSE
-jsp-api.jar									LICENSE
-log4j-1.2.14.jar							LICENSE
-lucene-highlighter.jar						LICENSE
-lucene.jar									LICENSE
-mail.jar									doc/LICENSE.cddl
-nekohtml.jar								LICENSE
-oro.jar										LICENSE
-oscache.jar									doc/LICENSE.OpenSymphony
-sandler.jar									doc/LICENSE.sandler
-servlet-api.jar								doc/LICENSE.cddl
-xmlrpc.jar									LICENSE
-slf4j-api-1.5.5.jar                      MIT-style license
-slf4j-log4j12-1.5.5.jar                      MIT-style license
+activation.jar                            doc/LICENSE.cddl
+akismet-java-1.02.jar                     doc/LICENSE.akismet
+commons-codec-1.3.jar                     LICENSE
+commons-fileupload-1.2.1.jar              LICENSE
+commons-httpclient-3.0.1.jar              LICENSE
+commons-io-1.4.jar                        LICENSE
+commons-lang-2.3.jar                      LICENSE
+ecs.jar                                   LICENSE
+ehcache-1.6.0.jar                         LICENSE
+freshcookies-security-0.62.jar            LICENSE
+jabsorb-1.3.jar                           LICENSE
+jakarta-taglibs-standard-1.1.2.jar        LICENSE
+jakarta-taglibs-jstl-1.1.2.jar            LICENSE
+jaxen.jar                                 doc/LICENSE.jaxen
+jcl-over-slf4j-1.5.6.jar                  doc/LICENSE.slf4j
+jul-to-slf4j-1.5.6.jar                    doc/LICENSE.slf4j
+jcr-1.0.jar                               doc/LICENSE.jcr
+jdom.jar                                  doc/LICENSE.jdom
+jrcs-diff.jar                             LICENSE
+jsp-api.jar                               LICENSE
+log4j-1.2.14.jar                          LICENSE
+lucene-highlighter.jar                    LICENSE
+lucene.jar                                LICENSE
+mail.jar                                  doc/LICENSE.cddl
+nekohtml.jar                              LICENSE
+priha-0.7.0-alpha                         LICENSE
+sandler.jar                               doc/LICENSE.sandler
+servlet-api.jar                           doc/LICENSE.cddl
+slf4j-api-1.5.6.jar                       doc/LICENSE.slf4j
+slf4j-log4j12-1.5.6.jar                   doc/LICENSE.slf4j
+stripes-1.6-svn-1193.jar                  LICENSE
+xmlrpc.jar                                LICENSE
 
-TEST LIBRARY								LICENSE FILE
+TEST LIBRARY                              LICENSE FILE
 ===================================================================================
-commons-el-1.0.jar							LICENSE
-custom_rhino.jar							doc/LICENSE.mpl
-hsqldb.jar									doc/LICENSE.hsqldb
-jasper-compiler-5.5.25.jar					LICENSE
-jasper-runtime-5.5.25.jar					LICENSE
-jetty-jmx-5.1.14.jar						doc/LICENSE.Jetty
-jetty-plus-5.1.14.jar						doc/LICENSE.Jetty
-jetty-servlet-5.1.14.jar					doc/LICENSE.Jetty
-junit.jar									doc/LICENSE.cpl
-selenium-java-client-driver-1.0-beta1.jar	LICENSE
-selenium-server-1.0-beta1.jar				LICENSE
-stripes-1.5.jar								LICENSE
-xercesImpl-2.6.2.jar						LICENSE
-xml-apis-1.0.b2.jar							LICENSE
-yuicompressor-2.3.3.jar						doc/LICENSE.yui
+commons-el-1.0.jar                        LICENSE
+custom_rhino.jar                          doc/LICENSE.mpl
+hsqldb.jar                                doc/LICENSE.hsqldb
+jasper-compiler-5.5.25.jar                LICENSE
+jasper-runtime-5.5.25.jar                 LICENSE
+jetty-jmx-5.1.14.jar                      doc/LICENSE.Jetty
+jetty-plus-5.1.14.jar                     doc/LICENSE.Jetty
+jetty-servlet-5.1.14.jar                  doc/LICENSE.Jetty
+junit.jar                                 doc/LICENSE.cpl
+selenium-java-client-driver-1.0b2.jar     LICENSE
+selenium-server-1.0b2.jar                 LICENSE
+xercesImpl-2.6.2.jar                      LICENSE
+xml-apis-1.0.b2.jar                       LICENSE
+yuicompressor-2.4.2.jar                   doc/LICENSE.yui
 
-JS LIBRARY									LICENSE FILE
+JAVASCRIPT LIBRARY                        LICENSE FILE
 ===================================================================================
-mootools.js									doc/LICENSE.mit
-prettify.js									LICENSE
-SlimBox										doc/LICENSE.mit 
-posteditor.js								MIT-style license
+fckconfig.js                              doc/LICENSE.mpl
+mootools.js                               doc/LICENSE.mit
+prettify.js                               LICENSE
+SlimBox                                   doc/LICENSE.mit 
+posteditor.js                             "MIT-style license"
 
-RESOURCES									LICENSE FILE
+RESOURCE                                  LICENSE FILE
 ===================================================================================
-SilkIconSet									doc/LICENSE.SilkIconSet
+SilkIconSet                               doc/LICENSE.SilkIconSet

Added: incubator/jspwiki/trunk/doc/JSPWiki-544 IP process
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/doc/JSPWiki-544%20IP%20process?rev=900272&view=auto
==============================================================================
--- incubator/jspwiki/trunk/doc/JSPWiki-544 IP process (added)
+++ incubator/jspwiki/trunk/doc/JSPWiki-544 IP process Mon Jan 18 03:37:46 2010
@@ -0,0 +1,45 @@
+The source code for JSPWiki is all Apache 2.0-licensed. The Apache Software Foundation owns all rights source code, configuration files, and related intellectual property. The only exception to this are bundled third-party libraries, whose rights remain those of their respective owners.
+
+JSPWiki originated outside Apache as an independent project led by Janne Jalkanen. After admission into the Incubator program, the project team took the following steps to ensure that the old JSPWiki codebase was cleansed of potential IP issues and that all IP rights were assigned to Apache. The project team:
+
+1 Identified the authors of all code in the JSPWiki codebase
+2 Secured licensing agreements from every author
+3 Re-wrote or removed any code associated with an author who could or would not submit a licensing agreement
+4 Verified that the licensing agreements associated with bundled third-party JARs were Apache-compatible
+5 Removed or replaced third-party resources for which licenses were not Apache-compatible
+
+Details for the process the team used for each step follows.
+
+1. Idenfication of all authors of JSPWiki code
+
+In August 2007, Janne Jalkanen identified all authors, as designated by @author tags in the code. The authors include 6 core developers: Janne Jalkanen, Andrew Jaquith, Erik Bunn, Murray Altheim, Dirk Frederickx and Christophe Sauer. In addition, analysis identified 16 other developers who had contributed code. The Unix grep command was used to find authors.
+
+The complete list of contributors are: Kees Kuip, John Volkar, Alain Ravet, Chuck Smith, Henning Schmiedehausen, Ken Liu, Sebastian Baltes, Hanno Eichelberger, Arent-Jan Banck, David Au, Scott Hurlbert, Dan Frankowski, Torsten Hildebrandt, Steffen Schramm, Janne Jalkanen, Murray Altheim, Christoph Sauer, Erik Bunn, BaseN corporation, Juanpablo Santos Rodriguez, Andrew Jaquith, and Dirk Frederickx.
+
+2. Secured licensing agreements from every author
+
+All of the authors identified in Step 1 were asked to submit an Individual Contributor License Agreement (ICLA) or a Software Grant (SG) agreement, depending on whether they wished to stay involved with the project. This process began in August 2007. As of 9 May 2009, ICLAs or SGs had been secured from 21 of the 22 authors. The one developer that did not submit a CLA was Alain Ravet. All other authors submitted CLAs or SGs; their status can be verified at http://people.apache.org/~jim/committers.html.
+
+3. Re-wrote or removed any code associated with an author who could or would not submit a licensing agreement
+
+As noted, only one author of code in the JSPWiki code based did not submit a CLA. Alain Ravet was the author of a single class, IndexPlugin. Janne Jalkanen re-wrote this class from scratch and checked it in 14 June 2008 (see JIRA issue JSPWIKI-246). 
+
+4. Verified that the licensing agreements associated with 3rd party resources were Apache-compatible
+
+JSPWiki uses 46 third-party JARs, several scripts and a few third-party icons. These works are licensed into two categories: (A) Apache-authorized licenses licenses; (B) Reciprocal licenses. JSPWiki uses no excluded licenses such as GPL and LGPL, per Apache's policy as described at http://www.apache.org/legal/3party.html.
+
+Category A licenses are for those libraries and resources that are Apache-authorized, including Apache 2.0 and MIT licenses. In the list of JARs below, the license requirements of all Apache-licensed JARs and resources are fufilled by the LICENSE document in the top-level directory.
+
+Category B licenses may only be included in within an Apache product if the inclusion is appropriately labeled: CDDL 1.0, CPL 1.0, EPL 1.0, IPL 1.0, MPL 1.0, MPL 1.1, SPL 1.0. To comply with the licensing terms for these works, license files (prefixed LICENSE.) were added to the doc/ top-level project directory.
+
+The Apache 2.0 license for JSPWiki and the full list of third-party software used is contained in the top-level LICENSE file. This file also lists references to appropriate third-party licenses in addition than the Apache 2.0 license.
+
+5. Removed or replaced third-party resources for which licenses were not Apache-compatible
+
+When third-party dependencies and licenses were being analyzed, the JSPWiki development team identified several non-compatible JARs which were replaced or removed. These included:
+- jug-lgpl.jar, an LGPL UUID generator. This was removed in favor of a JDK-based solution.
+- WikiWizard.jar, a graphical wiki text editor. This feature was removed and not replaced.
+- MultiPartRequest.jar, an LGPL-licensed multi-party MIME request parser from Jason Pell. This was replaced by Apache commons-fileupload-1.2.1.jar.
+
+One included JavaScript resource, posteditor.js, contains a single reference in its header to a "MIT-style license." Because this is not exactly an MIT license, the posteditor.js script will be re-written prior to the alpha release.
+

Added: incubator/jspwiki/trunk/doc/LICENSE.jcr
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/doc/LICENSE.jcr?rev=900272&view=auto
==============================================================================
--- incubator/jspwiki/trunk/doc/LICENSE.jcr (added)
+++ incubator/jspwiki/trunk/doc/LICENSE.jcr Mon Jan 18 03:37:46 2010
@@ -0,0 +1,34 @@
+Day Management AG ("Licensor") is willing to license this specification to you ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT ("Agreement"). Please read the terms and conditions of this Agreement carefully.
+
+Content Repository for JavaTM Technology API Specification ("Specification") 
+Version: 1.0 
+Status: FCS 
+Release: 11 May 2005
+
+Copyright 2005 Day Management AG
+Barf├╝sserplatz 6, 4001 Basel, Switzerland.
+All rights reserved.
+
+NOTICE; LIMITED LICENSE GRANTS
+
+1. License for Purposes of Evaluation and Developing Applications. Licensor hereby grants you a fully-paid, non-exclusive, non-transferable, worldwide, limited license (without the right to sublicense), under Licensor's applicable intellectual property rights to view, download, use and reproduce the Specification only for the purpose of internal evaluation. This includes developing applications intended to run on an implementation of the Specification provided that such applications do not themselves implement any portion(s) of the Specification.
+
+2. License for the Distribution of Compliant Implementations. Licensor also grants you a perpetual, non-exclusive, non-transferable, worldwide, fully paid-up, royalty free, limited license (without the right to sublicense) under any applicable copyrights or, subject to the provisions of subsection 4 below, patent rights it may have covering the Specification to create and/or distribute an Independent Implementation of the Specification that: (a) fully implements the Specification including all its required interfaces and functionality; (b) does not modify, subset, superset or otherwise extend the Licensor Name Space, or include any public or protected packages, classes, Java interfaces, fields or methods within the Licensor Name Space other than those required/authorized by the Specification or Specifications being implemented; and (c) passes the Technology Compatibility Kit (including satisfying the requirements of the applicable TCK Users Guide) for such Specification ("Co
 mpliant Implementation"). In addition, the foregoing license is expressly conditioned on your not acting outside its scope. No license is granted hereunder for any other purpose (including, for example, modifying the Specification, other than to the extent of your fair use rights, or distributing the Specification to third parties).
+
+3. Pass-through Conditions. You need not include limitations (a)-(c) from the previous paragraph or any other particular "pass through" requirements in any license You grant concerning the use of your Independent Implementation or products derived from it. However, except with respect to Independent Implementations (and products derived from them) that satisfy limitations (a)-(c) from the previous paragraph, You may neither: (a) grant or otherwise pass through to your licensees any licenses under Licensor's applicable intellectual property rights; nor (b) authorize your licensees to make any claims concerning their implementation's compliance with the Specification.
+
+4. Reciprocity Concerning Patent Licenses. With respect to any patent claims covered by the license granted under subparagraph 2 above that would be infringed by all technically feasible implementations of the Specification, such license is conditioned upon your offering on fair, reasonable and non-discriminatory terms, to any party seeking it from You, a perpetual, non-exclusive, non-transferable, worldwide license under Your patent rights that are or would be infringed by all technically feasible implementations of the Specification to develop, distribute and use a Compliant Implementation.
+
+5. Definitions. For the purposes of this Agreement: "Independent Implementation" shall mean an implementation of the Specification that neither derives from any of Licensor's source code or binary code materials nor, except with an appropriate and separate license from Licensor, includes any of Licensor's source code or binary code materials; "Licensor Name Space" shall mean the public class or interface declarations whose names begin with "java", "javax", "javax.jcr" or their equivalents in any subsequent naming convention adopted by Licensor through the Java Community Process, or any recognized successors or replacements thereof; and "Technology Compatibility Kit" or "TCK" shall mean the test suite and accompanying TCK User's Guide provided by Licensor which corresponds to the particular version of the Specification being tested.
+
+6. Termination. This Agreement will terminate immediately without notice from Licensor if you fail to comply with any material provision of or act outside the scope of the licenses granted above.
+
+7. Trademarks. No right, title, or interest in or to any trademarks, service marks, or trade names of Licensor is granted hereunder. Java is a registered trademark of Sun Microsystems, Inc. in the United States and other countries.
+
+8. Disclaimer of Warranties. The Specification is provided "AS IS". LICENSOR MAKES NO REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT (INCLUDING AS A CONSEQUENCE OF ANY PRACTICE OR IMPLEMENTATION OF THE SPECIFICATION), OR THAT THE CONTENTS OF THE SPECIFICATION ARE SUITABLE FOR ANY PURPOSE. This document does not represent any commitment to release or implement any portion of the Specification in any product.
+
+The Specification could include technical inaccuracies or typographical errors. Changes are periodically added to the information therein; these changes will be incorporated into new versions of the Specification, if any. Licensor may make improvements and/or changes to the product(s) and/or the program(s) described in the Specification at any time. Any use of such changes in the Specification will be governed by the then-current license for the applicable version of the Specification.
+
+9. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL LICENSOR BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION, LOST REVENUE, PROFITS OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO ANY FURNISHING, PRACTICING, MODIFYING OR ANY USE OF THE SPECIFICATION, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+10. Report. If you provide Licensor with any comments or suggestions in connection with your use of the Specification ("Feedback"), you hereby: (i) agree that such Feedback is provided on a non-proprietary and non-confidential basis, and (ii) grant Licensor a perpetual, non-exclusive, worldwide, fully paid-up, irrevocable license, with the right to sublicense through multiple levels of sublicensees, to incorporate, disclose, and use without limitation the Feedback for any purpose related to the Specification and future versions, implementations, and test suites thereof.
\ No newline at end of file

Added: incubator/jspwiki/trunk/doc/LICENSE.slf4j
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/doc/LICENSE.slf4j?rev=900272&view=auto
==============================================================================
--- incubator/jspwiki/trunk/doc/LICENSE.slf4j (added)
+++ incubator/jspwiki/trunk/doc/LICENSE.slf4j Mon Jan 18 03:37:46 2010
@@ -0,0 +1,21 @@
+Copyright (c) 2004-2008 QOS.ch
+All rights reserved.
+
+Permission is hereby granted, free  of charge, to any person obtaining
+a  copy  of this  software  and  associated  documentation files  (the
+"Software"), to  deal in  the Software without  restriction, including
+without limitation  the rights to  use, copy, modify,  merge, publish,
+distribute,  sublicense, and/or sell  copies of  the Software,  and to
+permit persons to whom the Software  is furnished to do so, subject to
+the following conditions:
+
+The  above  copyright  notice  and  this permission  notice  shall  be
+included in all copies or substantial portions of the Software.
+
+THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
+EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
+MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file

Modified: incubator/jspwiki/trunk/src/WebContent/WEB-INF/classes/CoreResources.properties
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/WebContent/WEB-INF/classes/CoreResources.properties?rev=900272&r1=900271&r2=900272&view=diff
==============================================================================
--- incubator/jspwiki/trunk/src/WebContent/WEB-INF/classes/CoreResources.properties (original)
+++ incubator/jspwiki/trunk/src/WebContent/WEB-INF/classes/CoreResources.properties Mon Jan 18 03:37:46 2010
@@ -377,4 +377,5 @@
 #Formerly named captcha.asirra.adopt.me.
 org.apache.wiki.content.inspect.AsirraCaptcha.adoptMe=Adopt me
 org.apache.wiki.content.inspect.PasswordChallenge.description = To confirm your changes, enter your password.
-captcha = CAPTCHA test
\ No newline at end of file
+captcha = CAPTCHA test
+changed.email = When you save this page, we will use your profile's e-mail {0} instead of the cookie value {1}. If you want to use {1} instead, change the e-mail address in your profile.

Modified: incubator/jspwiki/trunk/src/WebContent/admin/SecurityConfig.jsp
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/WebContent/admin/SecurityConfig.jsp?rev=900272&r1=900271&r2=900272&view=diff
==============================================================================
--- incubator/jspwiki/trunk/src/WebContent/admin/SecurityConfig.jsp (original)
+++ incubator/jspwiki/trunk/src/WebContent/admin/SecurityConfig.jsp Mon Jan 18 03:37:46 2010
@@ -18,324 +18,221 @@
     specific language governing permissions and limitations
     under the License.  
 --%>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
 <%@ taglib uri="http://jakarta.apache.org/jspwiki.tld" prefix="wiki" %>
-<%@ page import="java.security.Principal" %>
-<%@ page import="org.apache.wiki.log.Logger" %>
-<%@ page import="org.apache.wiki.log.LoggerFactory" %>
-<%@ page import="org.apache.wiki.*" %>
-<%@ page import="org.apache.wiki.auth.*" %>
-<%@ page errorPage="/Error.jsp" %>
 <%@ taglib uri="http://stripes.sourceforge.net/stripes.tld" prefix="s" %>
-<%@ page import="org.apache.wiki.util.TextUtil" %>
-<s:useActionBean beanclass="org.apache.wiki.action.NoneActionBean" event="none" id="wikiActionBean" />
-<%! 
-  public void jspInit()
-  {
-    wiki = WikiEngine.getInstance( getServletConfig() );
-  }
-  Logger log = LoggerFactory.getLogger("JSPWiki"); 
-  WikiEngine wiki;
-  SecurityVerifier verifier;
-%>
-<%
-  WikiContext wikiContext = wiki.createContext( request, WikiContext.NONE );
-  response.setContentType("text/html; charset="+wiki.getContentEncoding() );
-  verifier = new SecurityVerifier( wiki, wikiContext.getWikiSession() );
-
-  //
-  //  This is a security feature, so we will turn it off unless the
-  //  user really wants to.
-  //
-  if( !TextUtil.isPositive(wiki.getWikiProperties().getProperty("jspwiki-x.securityconfig.enable")) )
-  {
-      %>
-      <html>
-      <head>
-        <base href="../" />
-        <link rel="stylesheet" media="screen, projection" type="text/css" href="<wiki:Link format="url" templatefile="jspwiki.css" />" />
-        <wiki:IncludeResources type="stylesheet" />
-      </head>
-      <body><div id="wikibody">
-         <h1>Disabled</h1>
-         <p>JSPWiki SecurityConfig UI has been disabled.  This page could reveal important security
-         details about your configuration to a potential attacker, so it has been turned off by
-         default.  However, it is very easy to enable it by setting the following value</p>
-         <pre>
-             jspwiki-x.securityconfig.enable=true
-         </pre>
-         <p>in your <tt>jspwiki.properties</tt> file.</p>
-         <p>Once you are done with debugging your security configuration, please turn this page
-         off again by removing the preceding line, so that your system is safe again.</p>
-         <p>Have a nice day.  May the Force be with you.</p>
-      </div></body>
-      </html>
-      <%
-      return;
-  }
-
-%>
+<%@ page import="org.apache.wiki.auth.SecurityVerifier" %>
+<%@ page errorPage="/Error.jsp" %>
+<s:useActionBean beanclass="org.apache.wiki.action.AdminActionBean" event="security" id="wikiActionBean" executeResolution="true" />
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-  <title>JSPWiki Security Configuration Verifier</title>
-  <base href="../" />
-  <link rel="stylesheet" media="screen, projection" type="text/css" href="<wiki:Link format="url" templatefile="jspwiki.css" />" />
-  <wiki:IncludeResources type="stylesheet" />
-</head>
-<body>
-<div id="wikibody">
-<div id="page">
-<div id="pagecontent">
-
-<h1>JSPWiki Security Configuration Verifier</h1>
-
-<p>This page examines JSPWiki's security configuration and tries to determine if it is working the way it should. Although JSPWiki comes configured with some reasonable default configuration settings out of the box, it's not always obvious what settings to change if you need to customize the security... and sooner or later, just about everyone does.</p>
-
-<p>This page is dynamically generated by JSPWiki. It examines the authentication, authorization and security policy settings. When we think something looks funny, we'll try to communicate what the issue might be, and will make recommendations on how to fix the problem.</p>
-
-<p><strong>Please delete this JSP when you are finished troubleshooting your system. 
-This diagnostic data presented on this page do not represent a security risk
-to your system <em>per se</em>, but they do provide a significant amount of
-contextual information that could be useful to an attacker. This page is
-currently unconstrained, which means that anyone can view it: nice people, mean people
-and everyone in between. You have been warned.  You can turn it off by setting
-<pre>
- jspwiki-x.securityconfig.enable=false
-</pre>
-in your jspwiki.properties.
-</strong></p>
-
-<!-- 
-  *********************************************
-  **** A U T H E N T I C A T I O N         ****
-  *********************************************
--->
-<h2>Authentication Configuration</h2>
-<!-- 
-  *********************************************
-  **** Container Authentication Verifier   ****
-  *********************************************
--->
-<h3>Container-Managed Authentication</h3>
-<%
-  boolean isContainerAuth = wiki.getAuthenticationManager().isContainerAuthenticated();
-  AuthorizationManager authorizationManager = wiki.getAuthorizationManager();
-  if ( isContainerAuth )
-  {
-%>
-    <!-- We are using container auth -->
-    <p>I see that you've configured container-managed authentication. Very nice.</p>
-<%
-  }
-  else
-  {
-%>
-    <!-- We are not using container auth -->
-    <p>Container-managed authentication appears to be disabled, according to your <code>WEB-INF/web.xml</code> file.</p>
-<%
-  }
-%>
-
-    
-<!-- 
-  *********************************************
-  **** JAAS Authentication Config Verifier ****
-  *********************************************
--->
-<h3>JAAS Login Configuration</h3>
-
-<!-- Notify users which JAAS configs we need to find -->
-<p>JSPWiki wires up its own JAAS to define the authentication process, and does not rely on the JRE configuration. By default, JSPWiki configures its JAAS login stack to use the UserDatabaseLoginModule. You can specify a custom login module by setting the <code>jspwiki.loginModule.class</code> property in <code>jspwiki.properties</code>.</p>
-
-<wiki:Messages div="information" topic='<%=SecurityVerifier.INFO+"java.security.auth.login.config"%>' prefix="Good news: " />
-<wiki:Messages div="warning" topic='<%=SecurityVerifier.WARNING+"java.security.auth.login.config"%>' prefix="We found some potential problems with your configuration: " />
-<wiki:Messages div="error" topic='<%=SecurityVerifier.ERROR+"java.security.auth.login.config"%>' prefix="We found some errors with your configuration: " />
-
-<!-- Print JAAS configuration status -->
-<p>The JAAS login configuration is correctly configured if the <code>jspwiki.loginModule.class</code> property specifies
-a class we can find on the classpath. This class must also be a LoginModule implementation. We will check for both conditions.</p>
-
-<wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_JAAS%>" prefix="Good news: " />
-<wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_JAAS%>" prefix="We found some potential problems with your configuration: " />
-<wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_JAAS%>" prefix="We found some errors with your configuration: " />
-
-<!-- 
-  *********************************************
-  **** A U T H O R I Z A T I O N           ****
-  *********************************************
--->
-<h2>Authorization Configuration</h2>
-
-<!-- 
-  *********************************************
-  **** Container Authorization Verifier    ****
-  *********************************************
--->
-<h3>Container-Managed Authorization</h3>
-<%
-  if ( isContainerAuth )
-  {
-%>
-    <!-- We are using container auth -->
-    <p>I see that you've configured container-managed authorization. Very nice.</p>
-<%
-    Principal[] roles = verifier.webContainerRoles();
-    if ( roles.length > 0 )
-    {
-%>
-      <!-- Even better, we are using the standard authorizer, which
-           allows us to identify the roles the container knows about -->
-      <p>Your <code>WEB-INF/web.xml</code> file defines the following roles:</p>
-      <ul>
-<%
-        for( int i = 0; i < roles.length; i++ )
-        {
-%>
-          <li><%=roles[i].getName()%></li>
-<%
-        }
-%>
-      </ul>
-<%
-    }
-    else
-    {
-%>
-      <!-- No roles! That's very odd -->
-      <div class="error">Your <code>WEB-INF/web.xml</code> file does not define any roles. This is an error.</div>
-<%
-    }
-  }
-  else
-  {
-%>
-    <!-- We are not using container auth -->
-    <p>Container-managed authorization appears to be disabled, according to your <code>WEB-INF/web.xml</code> file.</p>
-<%
-  }
-%>
-
-<!-- 
-  *********************************************
-  **** Java Security Policy Verifier       ****
-  *********************************************
--->
-<h3>Security Policy</h3>
-<p>JSPWiki's authorizes user actions by consulting a standard Java 2 security policy file. By default, JSPWiki installs its local security policy file at startup time. This policy file is independent of your global, JVM-wide security policy, if you have one. When checking for authorization, JSPWiki consults the global policy first, then the local policy.</p>
-
-<p>Let's validate the local security policy file. To do this, we parse
-the security policy and examine each <code>grant</code> block. If we see
-a <code>permission</code> entry that is signed, we verify that the certificate
-alias exists in our keystore. The keystore itself must also exist in the file system.
-And as an additional check, we will try to load each <code>Permission</code> class into memory to verify that JSPWiki's classloader can find them.</p>
+  <head>
+    <title>JSPWiki Security Configuration Verifier</title>
+    <base href="../" />
+    <link rel="stylesheet" media="screen, projection" type="text/css" href="<wiki:Link format="url" templatefile="jspwiki.css" />" />
+    <wiki:IncludeResources type="stylesheet" />
+  </head>
+  <body>
+    <div id="wikibody">
+      <div id="page">
+        <div id="pagecontent">
+
+          <h1>JSPWiki Security Configuration Verifier</h1>
+          
+          <p>This page examines JSPWiki's security configuration and tries to determine if it is working the way it should. Although JSPWiki comes configured with some reasonable default configuration settings out of the box, it's not always obvious what settings to change if you need to customize the security... and sooner or later, just about everyone does.</p>
+          
+          <p>This page is dynamically generated by JSPWiki. It examines the authentication, authorization and security policy settings. When we think something looks funny, we'll try to communicate what the issue might be, and will make recommendations on how to fix the problem.</p>
+          
+          <p><strong>Please delete this JSP when you are finished troubleshooting your system. 
+          This diagnostic data presented on this page do not represent a security risk
+          to your system <em>per se</em>, but they do provide a significant amount of
+          contextual information that could be useful to an attacker. This page is
+          currently unconstrained, which means that anyone can view it: nice people, mean people
+          and everyone in between. You have been warned.  You can turn it off by setting
+          <pre>
+           jspwiki-x.securityconfig.enable=false
+          </pre>
+          in your jspwiki.properties.
+          </strong></p>
+          
+          <!-- 
+            *********************************************
+            **** A U T H E N T I C A T I O N         ****
+            *********************************************
+          -->
+          <h2>Authentication Configuration</h2>
+          <!-- 
+            *********************************************
+            **** Container Authentication Verifier   ****
+            *********************************************
+          -->
+          <h3>Container-Managed Authentication</h3>
+          <c:choose>
+            <c:when test="${wikiEngine.authenticationManager.containerAuthenticated}">
+              <p>I see that you've configured container-managed authentication. Very nice.</p>
+            </c:when>
+            <c:otherwise>
+              <p>Container-managed authentication appears to be disabled, according to your <code>WEB-INF/web.xml</code> file.</p>
+            </c:otherwise>
+          </c:choose>
+              
+          <!-- 
+            *********************************************
+            **** JAAS Authentication Config Verifier ****
+            *********************************************
+          -->
+          <h3>JAAS Login Configuration</h3>
+          
+          <!-- Notify users which JAAS configs we need to find -->
+          <p>JSPWiki wires up its own JAAS to define the authentication process, and does not rely on the JRE configuration. By default, JSPWiki configures its JAAS login stack to use the UserDatabaseLoginModule. You can specify a custom login module by setting the <code>jspwiki.loginModule.class</code> property in <code>jspwiki.properties</code>.</p>
+          
+          <wiki:Messages div="information" topic='<%=SecurityVerifier.INFO+"java.security.auth.login.config"%>' prefix="Good news: " />
+          <wiki:Messages div="warning" topic='<%=SecurityVerifier.WARNING+"java.security.auth.login.config"%>' prefix="We found some potential problems with your configuration: " />
+          <wiki:Messages div="error" topic='<%=SecurityVerifier.ERROR+"java.security.auth.login.config"%>' prefix="We found some errors with your configuration: " />
+          
+          <!-- Print JAAS configuration status -->
+          <p>The JAAS login configuration is correctly configured if the <code>jspwiki.loginModule.class</code> property specifies
+          a class we can find on the classpath. This class must also be a LoginModule implementation. We will check for both conditions.</p>
+          
+          <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_JAAS%>" prefix="Good news: " />
+          <wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_JAAS%>" prefix="We found some potential problems with your configuration: " />
+          <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_JAAS%>" prefix="We found some errors with your configuration: " />
+          
+          <!-- 
+            *********************************************
+            **** A U T H O R I Z A T I O N           ****
+            *********************************************
+          -->
+          <h2>Authorization Configuration</h2>
+          
+          <!-- 
+            *********************************************
+            **** Container Authorization Verifier    ****
+            *********************************************
+          -->
+          <h3>Container-Managed Authorization</h3>
+          <c:choose>
+            <c:when test="${wikiEngine.authenticationManager.containerAuthenticated}">
+              <p>I see that you've configured container-managed authorization. Very nice.</p>
+              <p>Your <code>WEB-INF/web.xml</code> file defines the following roles:</p>
+              <ul>
+                <c:forEach var="role" items="${wikiActionBean.verifier.webContainerRoles}">
+                  <li>${role.name}</li>
+                </c:forEach>
+              </ul>
+              <c:if test="${fn:length(wikiActionBean.verifier.webContainerRoles) == 0}">
+                <div class="error">Your <code>WEB-INF/web.xml</code> file does not define any roles. This is an error.</div>
+              </c:if>
+            </c:when>
+            <c:otherwise>
+              <p>Container-managed authorization appears to be disabled, according to your <code>WEB-INF/web.xml</code> file.</p>
+            </c:otherwise>
+          </c:choose>
+          
+          <!-- 
+            *********************************************
+            **** Java Security Policy Verifier       ****
+            *********************************************
+          -->
+          <h3>Security Policy</h3>
+          <p>JSPWiki's authorizes user actions by consulting a standard Java 2 security policy file. By default, JSPWiki installs its local security policy file at startup time. This policy file is independent of your global, JVM-wide security policy, if you have one. When checking for authorization, JSPWiki consults the global policy first, then the local policy.</p>
+          
+          <p>Let's validate the local security policy file. To do this, we parse
+          the security policy and examine each <code>grant</code> block. If we see
+          a <code>permission</code> entry that is signed, we verify that the certificate
+          alias exists in our keystore. The keystore itself must also exist in the file system.
+          And as an additional check, we will try to load each <code>Permission</code> class into memory to verify that JSPWiki's classloader can find them.</p>
+          
+          <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_POLICY%>" prefix="Good news: " />
+          <wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_POLICY%>" prefix="We found some potential problems with your configuration: " />
+          <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_POLICY%>" prefix="We found some errors with your configuration: " />
+          
+          <c:if test="${wikiActionBean.verifier.securityPolicyConfigured}">
+            <p>Note: JSPWiki's Policy file parser is stricter than the default parser that ships with the JVM. If you encounter parsing errors, make sure you have the correct comma and semicolon delimiters in your policy file <code>grant</code> entries. The <code>grant</code> blocks must follow this format:</p>
+            <blockquote>
+              <pre>grant signedBy "signer_names", codeBase "URL",
+            principal principal_class_name "principal_name",
+            principal principal_class_name "principal_name",
+            ... {
+            
+            permission permission_class_name "target_name", "action";
+            permission permission_class_name "target_name", "action";
+          };</pre>
+            </blockquote>
+          
+            <p>Note: JSPWiki versions prior to 2.4.6 accidentally omitted commas after the <code>signedBy</code> entries, so you should fix this if you are using a policy file based on a version earlier than 2.4.6.</p>
+          </c:if>
+          
+          <h2>Access Control Validation</h2>
+          
+          <h3>Security Policy Restrictions</h3>
+          
+          <p>Now comes the <em>really</em> fun part. Using the current security policy, we will test the PagePermissions each JSPWiki role possesses for a range of pages. The roles we will test include the standard JSPWiki roles (Authenticated, All, etc.) plus any others you may have listed in the security policy. In addition to the PagePermissions, we will also test the WikiPermissions. The results of these tests should tell you what behaviors you can expect based on your security policy file. If we had problems finding, parsing or verifying the policy file, these tests will likely fail.</p>
 
-<wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_POLICY%>" prefix="Good news: " />
-<wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_POLICY%>" prefix="We found some potential problems with your configuration: " />
-<wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_POLICY%>" prefix="We found some errors with your configuration: " />
+          <p>The colors in each cell show the results of the test. <font style="background-color: #c0ffc0;">&nbsp;Green&nbsp;</font> means success; <font style="background-color: #ffc0c0;">&nbsp;red&nbsp;</font> means failure. Hovering over a role name or individual cell will display more detailed information about the role or test.</p>
 
-<%
-  if ( !verifier.isSecurityPolicyConfigured() )
-  {
-%>
-    <p>Note: JSPWiki's Policy file parser is stricter than the default parser that ships with the JVM. If you encounter parsing errors, make sure you have the correct comma and semicolon delimiters in your policy file <code>grant</code> entries. The <code>grant</code> blocks must follow this format:</p>
-    <blockquote>
-      <pre>grant signedBy "signer_names", codeBase "URL",
-    principal principal_class_name "principal_name",
-    principal principal_class_name "principal_name",
-    ... {
-    
-    permission permission_class_name "target_name", "action";
-    permission permission_class_name "target_name", "action";
-};</pre>
-    </blockquote>
+          ${wikiActionBean.verifier.policyRoleTable}
 
-    <p>Note: JSPWiki versions prior to 2.4.6 accidentally omitted commas after the <code>signedBy</code> entries, so you should fix this if you are using a policy file based on a version earlier than 2.4.6.</p>
-<%
-  }
-%>
-
-<h2>Access Control Validation</h2>
-
-<h3>Security Policy Restrictions</h3>
-
-<p>Now comes the <em>really</em> fun part. Using the current security policy, we will test the PagePermissions each JSPWiki role possesses for a range of pages. The roles we will test include the standard JSPWiki roles (Authenticated, All, etc.) plus any others you may have listed in the security policy. In addition to the PagePermissions, we will also test the WikiPermissions. The results of these tests should tell you what behaviors you can expect based on your security policy file. If we had problems finding, parsing or verifying the policy file, these tests will likely fail.</p>
-
-<p>The colors in each cell show the results of the test. <font style="background-color: #c0ffc0;">&nbsp;Green&nbsp;</font> means success; <font style="background-color: #ffc0c0;">&nbsp;red&nbsp;</font> means failure. Hovering over a role name or individual cell will display more detailed information about the role or test.</p>
-
-<%=verifier.policyRoleTable()%>
-
-<div class="information">Important: these tests do not take into account any page-level access control lists. Page ACLs, if they exist, will contrain access further than what is shown in the table.
-<%
-  if ( isContainerAuth )
-  {
-%>
+          <div class="information">Important: these tests do not take into account any page-level access control lists. Page ACLs, if they exist, will contrain access further than what is shown in the table.
+            <c:if test="${wikiEngine.authenticationManager.containerAuthenticated}">
 In addition, because you are using container-managed security, constraints on user activities might be stricter than what is shown in this table. If the container requires that users accessing <code>Edit.jsp</code> possess the container role "Admin," for example, this will override an "edit" PagePermission granted to role "Authenticated." See below.
-<%
-  }
-%>
-</div>
-
-<%
-  if ( isContainerAuth )
-  {
-%>
-    <h3>Web Container Restrictions</h3>
-
-    <p>Here is how your web container will control role-based access to some common JSPWiki actions and their assocated JSPs. These restrictions will be enforced even if your Java security policy is more permissive.</p>
-
-    <p>The colors in each cell show the results of the test. <font style="background-color: #c0ffc0;">&nbsp;Green&nbsp;</font> means success; <font style="background-color: #ffc0c0;">&nbsp;red&nbsp;</font> means failure.</p>
-
-    <!-- Print table showing role restrictions by JSP -->
-    <%=verifier.containerRoleTable()%>
-
-    <div class="information">Important: these tests do not take into account any page-level access control lists. Page ACLs, if they exist, will contrain access further than what is shown in the table.</div>
-
-    <!-- Remind the admin their container needs to return the roles -->
-    <p>Note that your web container will allow access to these pages <em>only</em> if your container's authentication realm returns the roles
-<%
-    Principal[] roles = verifier.webContainerRoles();
-    for( int i = 0; i < roles.length; i++ )
-    {
-%>&nbsp;<strong><%=(roles[i].getName() + (i<(roles.length-1)?",":""))%></strong><%
-    }
-%>
-    If your container's realm returns other role names, users won't be able to access the pages they should be allowed to see -- because the role names don't match. In that case, You should adjust the <code>&lt;role-name&gt;</code> entries in <code>web.xml</code> appropriately to match the role names returned by your container's authorization realm.</p>
-    
-    <p>Now we are going to compare the roles listed in your security policy with those from your <code>web.xml</code> file. The ones we care about are those that aren't built-in roles like "All", "Anonymous", "Authenticated" or "Asserted". If your policy shows roles other than these, we need to make sure your container knows about them, too. Container roles are defined in <code>web.xml</code> in blocks such as these:</p>
-    <blockquote><pre>&lt;security-role&gt;
-  &lt;description&gt;
-    This logical role includes all administrative users
-  &lt;/description&gt;
-  &lt;role-name&gt;Admin&lt;/role-name&gt;
-&lt;/security-role&gt;</pre></blockquote>
-
-    <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_ROLES%>" prefix="Good news: " />
-    <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_ROLES%>" prefix="We found some errors with your configuration: " />
-
-<%
-  }
-%>
-
-<h2>User and Group Databases</h2>
-
-<h3>User Database Configuration</h3>
-<p>The user database stores user profiles. It's pretty important that it functions properly. We will try to determine what your current UserDatabase implementation is, based on the current value of the <code>jspwiki.userdatabase</code> property in your <code>jspwiki.properties</code> file. In addition, once we establish that the UserDatabase has been initialized properly, we will try to add (then, delete) a random test user. If all of these things work they way they should, then you should have no problems with user self-registration.</p>
-
-<wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_DB%>" prefix="Good news: " />
-<wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_DB%>" prefix="We found some potential problems with your configuration: " />
-<wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_DB%>" prefix="We found some errors with your configuration: " />
-
-<h3>Group Database Configuration</h3>
-<p>The group database stores wiki groups. It's pretty important that it functions properly. We will try to determine what your current GroupDatabase implementation is, based on the current value of the <code>jspwiki.groupdatabase</code> property in your <code>jspwiki.properties</code> file. In addition, once we establish that the GroupDatabase has been initialized properly, we will try to add (then, delete) a random test group. If all of these things work they way they should, then you should have no problems with wiki group creation and editing.</p>
+            </c:if>
+          </div>
 
-<wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_GROUPS%>" prefix="Good news: " />
-<wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_GROUPS%>" prefix="We found some potential problems with your configuration: " />
-<wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_GROUPS%>" prefix="We found some errors with your configuration: " />
+          <c:if test="${wikiEngine.authenticationManager.containerAuthenticated}">
+            <h3>Web Container Restrictions</h3>
 
-<!-- We're done... -->
-</div>
-</div>
-</div>
-</body>
+            <p>Here is how your web container will control role-based access to some common JSPWiki actions and their assocated JSPs. These restrictions will be enforced even if your Java security policy is more permissive.</p>
+        
+            <p>The colors in each cell show the results of the test. <font style="background-color: #c0ffc0;">&nbsp;Green&nbsp;</font> means success; <font style="background-color: #ffc0c0;">&nbsp;red&nbsp;</font> means failure.</p>
+        
+            <!-- Print table showing role restrictions by JSP -->
+            ${wikiActionBean.verifier.containerRoleTable}
+        
+            <div class="information">Important: these tests do not take into account any page-level access control lists. Page ACLs, if they exist, will contrain access further than what is shown in the table.</div>
+        
+            <!-- Remind the admin their container needs to return the roles -->
+            <p>Note that your web container will allow access to these pages <em>only</em> if your container's authentication realm returns these roles:</p>
+            <ul>
+              <c:forEach var="role" items="${wikiActionBean.verifier.webContainerRoles}">
+                <li>${role.name}</li>
+              </c:forEach>
+            </ul>
+            <p>If your container's realm returns other role names, users won't be able to access the pages they should be allowed to see -- because the role names don't match. In that case, You should adjust the <code>&lt;role-name&gt;</code> entries in <code>web.xml</code> appropriately to match the role names returned by your container's authorization realm.</p>
+            
+            <p>Now we are going to compare the roles listed in your security policy with those from your <code>web.xml</code> file. The ones we care about are those that aren't built-in roles like "All", "Anonymous", "Authenticated" or "Asserted". If your policy shows roles other than these, we need to make sure your container knows about them, too. Container roles are defined in <code>web.xml</code> in blocks such as these:</p>
+            <blockquote><pre>&lt;security-role&gt;
+          &lt;description&gt;
+            This logical role includes all administrative users
+          &lt;/description&gt;
+          &lt;role-name&gt;Admin&lt;/role-name&gt;
+        &lt;/security-role&gt;</pre></blockquote>
+        
+            <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_ROLES%>" prefix="Good news: " />
+            <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_ROLES%>" prefix="We found some errors with your configuration: " />
+          </c:if>
+          
+          <h2>User and Group Databases</h2>
+          
+          <h3>User Database Configuration</h3>
+          <p>The user database stores user profiles. It's pretty important that it functions properly. We will try to determine what your current UserDatabase implementation is, based on the current value of the <code>jspwiki.userdatabase</code> property in your <code>jspwiki.properties</code> file. In addition, once we establish that the UserDatabase has been initialized properly, we will try to add (then, delete) a random test user. If all of these things work they way they should, then you should have no problems with user self-registration.</p>
+          
+          <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_DB%>" prefix="Good news: " />
+          <wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_DB%>" prefix="We found some potential problems with your configuration: " />
+          <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_DB%>" prefix="We found some errors with your configuration: " />
+          
+          <h3>Group Database Configuration</h3>
+          <p>The group database stores wiki groups. It's pretty important that it functions properly. We will try to determine what your current GroupDatabase implementation is, based on the current value of the <code>jspwiki.groupdatabase</code> property in your <code>jspwiki.properties</code> file. In addition, once we establish that the GroupDatabase has been initialized properly, we will try to add (then, delete) a random test group. If all of these things work they way they should, then you should have no problems with wiki group creation and editing.</p>
+          
+          <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_GROUPS%>" prefix="Good news: " />
+          <wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_GROUPS%>" prefix="We found some potential problems with your configuration: " />
+          <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_GROUPS%>" prefix="We found some errors with your configuration: " />
+          
+          <!-- We're done... -->
+        </div>
+      </div>
+    </div>
+  </body>
 </html>

Modified: incubator/jspwiki/trunk/src/WebContent/templates/default/ProfileTab.jsp
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/WebContent/templates/default/ProfileTab.jsp?rev=900272&r1=900271&r2=900272&view=diff
==============================================================================
--- incubator/jspwiki/trunk/src/WebContent/templates/default/ProfileTab.jsp (original)
+++ incubator/jspwiki/trunk/src/WebContent/templates/default/ProfileTab.jsp Mon Jan 18 03:37:46 2010
@@ -139,14 +139,12 @@
      </wiki:UserProfile>
 
      <%-- Spam protection: password confirmation or CAPTCHA --%>
-     <tr>
-       <td><s:label for="captcha" /></td>
-       <td>
-         <wiki:UserCheck status="notAuthenticated">
-           <wiki:SpamProtect challenge="captcha" />
-         </wiki:UserCheck>
-       </td>
-     </tr>
+     <wiki:UserCheck status="notAuthenticated">
+       <tr>
+         <td><s:label for="captcha" /></td>
+         <td><wiki:SpamProtect challenge="captcha" /></td>
+       </tr>
+     </wiki:UserCheck>
      
      <%-- Save changes --%>
      <tr>

Added: incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java?rev=900272&view=auto
==============================================================================
--- incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java (added)
+++ incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java Mon Jan 18 03:37:46 2010
@@ -0,0 +1,55 @@
+package org.apache.wiki.action;
+
+import java.io.PrintWriter;
+
+import javax.servlet.http.HttpServletResponse;
+
+import net.sourceforge.stripes.action.*;
+
+import org.apache.wiki.WikiEngine;
+import org.apache.wiki.auth.SecurityVerifier;
+import org.apache.wiki.util.TextUtil;
+
+/**
+ * Administration actions
+ */
+public class AdminActionBean extends AbstractActionBean
+{
+    private SecurityVerifier m_securityVerifier = null;
+    
+    /**
+     * If the security configuration UI is enabled, this method initializes a new
+     * {@link SecurityVerifier} and forwards the user to {@code /admin/SecurityConfig.jsp}.
+     * @return the resolution
+     */
+    @DefaultHandler
+    @HandlesEvent( "security" )
+    public Resolution security()
+    {
+        WikiEngine engine = getContext().getEngine();
+        if( TextUtil.isPositive(engine.getWikiProperties().getProperty("jspwiki-x.securityconfig.enable")) )
+        {
+            return new StreamingResolution( "text/html" ) {
+                public void stream( HttpServletResponse response ) throws Exception
+                {
+                    PrintWriter out = response.getWriter();
+                    out.print( "<html><body><p>Security config is disabled.</p></body></html>" );
+                }
+            };
+        }
+        else
+        {
+            m_securityVerifier = new SecurityVerifier( engine, getContext().getWikiSession() );
+            return new ForwardResolution( "/admin/SecurityConfig.jsp" );
+        }
+    }
+    
+    /**
+     * Returns the initialized SecurityVerifier.
+     * @return the verifier
+     */
+    public SecurityVerifier getVerifier()
+    {
+        return m_securityVerifier;
+    }
+}

Modified: incubator/jspwiki/trunk/src/java/org/apache/wiki/action/EditActionBean.java
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/java/org/apache/wiki/action/EditActionBean.java?rev=900272&r1=900271&r2=900272&view=diff
==============================================================================
--- incubator/jspwiki/trunk/src/java/org/apache/wiki/action/EditActionBean.java (original)
+++ incubator/jspwiki/trunk/src/java/org/apache/wiki/action/EditActionBean.java Mon Jan 18 03:37:46 2010
@@ -338,7 +338,7 @@
         {
             UserManager mgr = getContext().getEngine().getUserManager();
             UserProfile profile = mgr.getUserProfile( wikiSession );
-            if ( profile.getEmail() != null )
+            if ( profile.getEmail() != null && profile.getEmail().length() > 0 )
             {
                 setEmail( profile.getEmail() );
             }
@@ -621,7 +621,7 @@
             UserProfile profile = engine.getUserManager().getUserProfile( session );
             if ( email.equals( profile.getEmail() ) )
             {
-                Message message = new LocalizableMessage( "changed.email" );
+                Message message = new LocalizableMessage( "changed.email", profile.getEmail(), email );
                 getContext().getMessages().add( message );
             }
         }

Modified: incubator/jspwiki/trunk/src/java/org/apache/wiki/auth/SecurityVerifier.java
URL: http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/java/org/apache/wiki/auth/SecurityVerifier.java?rev=900272&r1=900271&r2=900272&view=diff
==============================================================================
--- incubator/jspwiki/trunk/src/java/org/apache/wiki/auth/SecurityVerifier.java (original)
+++ incubator/jspwiki/trunk/src/java/org/apache/wiki/auth/SecurityVerifier.java Mon Jan 18 03:37:46 2010
@@ -177,7 +177,7 @@
      * {@link org.apache.wiki.auth.authorize.WebContainerAuthorizer}
      * @return the formatted HTML table containing the result of the tests
      */
-    public final String policyRoleTable()
+    public final String getPolicyRoleTable()
     {
         Principal[] roles = m_policyPrincipals;
         String wiki = m_engine.getApplicationName();
@@ -346,7 +346,7 @@
      * @return the formatted HTML table containing the result of the tests
      * @throws WikiException if tests fail for unexpected reasons
      */
-    public final String containerRoleTable() throws WikiException
+    public final String getContainerRoleTable() throws WikiException
     {
 
         AuthorizationManager authorizationManager = m_engine.getAuthorizationManager();
@@ -447,7 +447,7 @@
      * @return the roles parsed from <code>web.xml</code>, or a zero-length array
      * @throws WikiException if the web authorizer cannot obtain the list of roles
      */
-    public final Principal[] webContainerRoles() throws WikiException
+    public final Principal[] getWebContainerRoles() throws WikiException
     {
         Authorizer authorizer = m_engine.getAuthorizationManager().getAuthorizer();
         if ( authorizer instanceof WebContainerAuthorizer )



Mime
View raw message