jspwiki-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From juanpa...@apache.org
Subject svn commit: r1600734 - in /jspwiki/trunk/jspwiki-war/src/main: java/org/apache/wiki/auth/ java/org/apache/wiki/ui/ webapp/
Date Thu, 05 Jun 2014 19:26:32 GMT
Author: juanpablo
Date: Thu Jun  5 19:26:31 2014
New Revision: 1600734

URL: http://svn.apache.org/r1600734
Log:
Applied patch on JSPWIKI-841 (Container Managed Security Not Working), which solves part of
the issue, on unsuccesful login there is no error message with container managed authentication

Modified:
    jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java
    jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java
    jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java
    jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java
    jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java
    jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp

Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java
(original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java
Thu Jun  5 19:26:31 2014
@@ -100,14 +100,21 @@ public class AuthenticationManager {
      *  <p>
      *  Setting this is now deprecated - we do not guarantee that it works.
      *  
-     *  @deprecated
+     * @deprecated - to be removed on 2.11.0
      */
+    @Deprecated
     public  static final String                PROP_SECURITY       = "jspwiki.security";
 
-    /** Value specifying that the user wants to use the container-managed security, just
like in JSPWiki 2.2. */
+    /** Value specifying that the user wants to use the container-managed security, just
like in JSPWiki 2.2.
+     * @deprecated - to be removed on 2.11.0
+      */
+    @Deprecated
     public static final String                SECURITY_OFF      = "off";
 
-    /** Value specifying that the user wants to use the built-in JAAS-based system */
+    /** Value specifying that the user wants to use the built-in JAAS-based system.
+     * @deprecated - to be removed on 2.11.0
+     */
+    @Deprecated
     public static final String                SECURITY_JAAS     = "jaas";
 
     /** Whether logins should be throttled to limit brute-forcing attempts. Defaults to true.
*/
@@ -137,8 +144,9 @@ public class AuthenticationManager {
     /** Just to provide compatibility with the old versions.  The same
      *  as SECURITY_OFF.
      *
-     *  @deprecated use {@link #SECURITY_OFF} instead
+     *  @deprecated use {@link #SECURITY_OFF} instead - to be removed on 2.11.0
      */
+    @Deprecated
     protected static final String             SECURITY_CONTAINER = "container";
 
     /** The default {@link javax.security.auth.spi.LoginModule} class name to use for custom
authentication. */
@@ -160,10 +168,7 @@ public class AuthenticationManager {
     /** If true, logs the IP address of the editor */
     private boolean                            m_storeIPAddress    = true;
 
-    private boolean               m_useJAAS = true;
-
     /** Keeps a list of the usernames who have attempted a login recently. */
-    
     private TimedCounterList<String> m_lastLoginAttempts = new TimedCounterList<String>();
     
     /**
@@ -180,9 +185,6 @@ public class AuthenticationManager {
         m_engine = engine;
         m_storeIPAddress = TextUtil.getBooleanProperty( props, PROP_STOREIPADDRESS, m_storeIPAddress
);
 
-        // Should J2SE policies be used for authorization?
-        m_useJAAS = SECURITY_JAAS.equals(props.getProperty( PROP_SECURITY, SECURITY_JAAS
));
-        
         // Should we allow cookies for assertions? (default: yes)
         m_allowsCookieAssertions = TextUtil.getBooleanProperty( props,
                                                               PROP_ALLOW_COOKIE_ASSERTIONS,
@@ -225,8 +227,6 @@ public class AuthenticationManager {
      */
     public boolean isContainerAuthenticated()
     {
-        if( !m_useJAAS ) return true;
-
         try
         {
             Authorizer authorizer = m_engine.getAuthorizationManager().getAuthorizer();

Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java
(original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java
Thu Jun  5 19:26:31 2014
@@ -124,8 +124,6 @@ public class AuthorizationManager {
 
     private LocalPolicy                       m_localPolicy     = null;
 
-    private boolean                           m_useJAAS         = true;
-
     /**
      * Constructs a new AuthorizationManager instance.
      */
@@ -178,18 +176,6 @@ public class AuthorizationManager {
      */
     public boolean checkPermission( WikiSession session, Permission permission )
     {
-        if( !m_useJAAS )
-        {
-            //
-            //  Nobody can login, if JAAS is turned off.
-            //
-
-            if( permission == null || "login".equals( permission.getActions() ) )
-                return false;
-
-            return true;
-        }
-
         //
         //  A slight sanity check.
         //
@@ -473,15 +459,10 @@ public class AuthorizationManager {
      * @param properties the set of properties used to initialize the wiki engine
      * @throws WikiException if the AuthorizationManager cannot be initialized
      */
-    @SuppressWarnings("deprecation")
     public void initialize( WikiEngine engine, Properties properties ) throws WikiException
     {
         m_engine = engine;
 
-        m_useJAAS = AuthenticationManager.SECURITY_JAAS.equals( properties.getProperty(AuthenticationManager.PROP_SECURITY,
AuthenticationManager.SECURITY_JAAS ) );
-
-        if( !m_useJAAS ) return;
-
         //
         //  JAAS authorization continues
         //
@@ -525,10 +506,12 @@ public class AuthorizationManager {
      * Returns <code>true</code> if JSPWiki's JAAS authorization system
      * is used for authorization in addition to container controls.
      * @return the result
+     * @deprecated functionality deprecated - returns true always. To be removed on 2.11.0
      */
+    @Deprecated
     protected boolean isJAASAuthorized()
     {
-        return m_useJAAS;
+        return true;
     }
 
     /**
@@ -628,8 +611,6 @@ public class AuthorizationManager {
      */
     protected boolean checkStaticPermission( final WikiSession session, final Permission
permission )
     {
-        if( !m_useJAAS ) return true;
-
         Boolean allowed = (Boolean) WikiSession.doPrivileged( session, new PrivilegedAction<Boolean>()
         {
             public Boolean run()
@@ -681,11 +662,6 @@ public class AuthorizationManager {
      */
     public Principal resolvePrincipal( String name )
     {
-        if( !m_useJAAS )
-        {
-            return new UnresolvedPrincipal(name);
-        }
-
         // Check built-in Roles first
         Role role = new Role(name);
         if ( Role.isBuiltInRole( role ) )

Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java (original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java Thu
Jun  5 19:26:31 2014
@@ -22,7 +22,13 @@ import java.io.File;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.security.*;
+import java.security.AccessControlException;
+import java.security.AccessController;
+import java.security.KeyStore;
+import java.security.Permission;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Set;
@@ -36,7 +42,11 @@ import org.apache.wiki.InternalWikiExcep
 import org.apache.wiki.WikiEngine;
 import org.apache.wiki.WikiSession;
 import org.apache.wiki.api.exceptions.WikiException;
-import org.apache.wiki.auth.authorize.*;
+import org.apache.wiki.auth.authorize.Group;
+import org.apache.wiki.auth.authorize.GroupDatabase;
+import org.apache.wiki.auth.authorize.GroupManager;
+import org.apache.wiki.auth.authorize.Role;
+import org.apache.wiki.auth.authorize.WebContainerAuthorizer;
 import org.apache.wiki.auth.permissions.AllPermission;
 import org.apache.wiki.auth.permissions.GroupPermission;
 import org.apache.wiki.auth.permissions.PermissionFactory;
@@ -588,19 +598,6 @@ public final class SecurityVerifier
      */
     protected void verifyJaas()
     {
-        // See if JAAS is on
-        AuthorizationManager authMgr = m_engine.getAuthorizationManager();
-        if ( !authMgr.isJAASAuthorized() )
-        {
-            m_session.addMessage( ERROR_JAAS, "JSPWiki's JAAS-based authentication " +
-                    "and authorization system is turned off (your jspwiki.properties file
" +
-                    "contains the setting 'jspwiki.security = container'. This " +
-                    "setting disables authorization checks and is meant for testing " +
-                    "and troubleshooting only. The test results on this page will not " +
-                    "be reliable as a result. You should set this to 'jaas' " +
-                    "so that security works properly." );
-        }
-        
         // Verify that the specified JAAS moduie corresponds to a class we can load successfully.
         String jaasClass = m_engine.getWikiProperties().getProperty( AuthenticationManager.PROP_LOGIN_MODULE
);
         if ( jaasClass == null || jaasClass.length() == 0 )
@@ -612,7 +609,7 @@ public final class SecurityVerifier
         }
         
         // See if we can find the LoginModule on the classpath
-        Class c = null;
+        Class< ? > c = null;
         try
         {
             m_session.addMessage( INFO_JAAS, "The property '" + AuthenticationManager.PROP_LOGIN_MODULE
+

Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java (original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java Thu Jun
 5 19:26:31 2014
@@ -104,8 +104,6 @@ public class UserManager {
     /** The user database loads, manages and persists user identities */
     private UserDatabase     m_database;
 
-    private boolean          m_useJAAS      = true;
-
     /**
      * Constructs a new UserManager instance.
      */
@@ -118,13 +116,10 @@ public class UserManager {
      * @param engine the current wiki engine
      * @param props the wiki engine initialization properties
      */
-    @SuppressWarnings("deprecation")
     public void initialize( WikiEngine engine, Properties props )
     {
         m_engine = engine;
 
-        m_useJAAS = AuthenticationManager.SECURITY_JAAS.equals( props.getProperty(AuthenticationManager.PROP_SECURITY,
AuthenticationManager.SECURITY_JAAS ) );
-
         // Attach the PageManager as a listener
         // TODO: it would be better if we did this in PageManager directly
         addWikiEventListener( engine.getPageManager() );
@@ -148,12 +143,6 @@ public class UserManager {
             return m_database;
         }
 
-        if( !m_useJAAS )
-        {
-            m_database = new DummyUserDatabase();
-            return m_database;
-        }
-
         String dbClassName = UNKNOWN_CLASS;
 
         try

Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java (original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java Thu Jun  5 19:26:31
2014
@@ -28,13 +28,15 @@ import java.util.ResourceBundle;
 import java.util.Set;
 
 import javax.servlet.ServletConfig;
-import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.wiki.PageManager;
 import org.apache.wiki.WikiEngine;
 import org.apache.wiki.WikiSession;
-import org.apache.wiki.auth.*;
+import org.apache.wiki.auth.NoSuchPrincipalException;
+import org.apache.wiki.auth.UserManager;
+import org.apache.wiki.auth.WikiPrincipal;
+import org.apache.wiki.auth.WikiSecurityException;
 import org.apache.wiki.auth.authorize.Group;
 import org.apache.wiki.auth.authorize.GroupManager;
 import org.apache.wiki.auth.user.UserDatabase;
@@ -78,8 +80,7 @@ public class Installer
         m_engine = WikiEngine.getInstance( config );
         m_session = WikiSession.getWikiSession( m_engine, request );
         
-        // Get the servlet context, and file for properties
-        ServletContext context = config.getServletContext();
+        // Get the file for properties
         m_propertyFile = new File(TMP_DIR, PROPFILENAME);
         m_props = new Properties();
         
@@ -194,7 +195,6 @@ public class Installer
         return m_props.getProperty( key );
     }
     
-    @SuppressWarnings("deprecation")
     public void parseProperties () throws Exception
     {
         ResourceBundle rb = ResourceBundle.getBundle( InternationalizationManager.CORE_BUNDLE,
@@ -227,10 +227,6 @@ public class Installer
         parseProperty( WORK_DIR, nullValue );
         sanitizePath( WORK_DIR );
         
-        // Get/sanitize security property
-        nullValue = m_props.getProperty( AuthenticationManager.PROP_SECURITY, AuthenticationManager.SECURITY_JAAS
);
-        parseProperty( AuthenticationManager.PROP_SECURITY, nullValue );
-        
         // Set a few more default properties, for easy setup
         m_props.setProperty( STORAGE_DIR, m_props.getProperty( PAGE_DIR ) );
         m_props.setProperty( PageManager.PROP_PAGEPROVIDER, "VersioningFileProvider" );

Modified: jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp (original)
+++ jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp Thu Jun  5 19:26:31 2014
@@ -135,15 +135,6 @@ if ( !installer.adminExists() )
   <h3><fmt:message key="install.jsp.security.title" /></h3>
   <div class="block">
   
-    <label><fmt:message key="install.jsp.security.sec.conf.label" /></label><br/>
-    <input type="radio" name="<%=AuthenticationManager.PROP_SECURITY%>" value="<%=AuthenticationManager.SECURITY_JAAS%>"
checked="checked"/>
-      <fmt:message key="install.jsp.security.sec.conf.opt1" /><br/>
-    <input type="radio" name="<%=AuthenticationManager.PROP_SECURITY%>" value="<%=AuthenticationManager.SECURITY_OFF%>"/>
-      <fmt:message key="install.jsp.security.sec.conf.opt2" />
-   <div class="description">
-     <fmt:message key="install.jsp.security.sec.conf.desc" />
-   </div>
-  
     <% 
       if( validated )
       {



Mime
View raw message