jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juan Pablo Santos Rodríguez (JIRA) <j...@apache.org>
Subject [jira] [Commented] (JSPWIKI-924) Attachments fail using JAAS SSO container authentication
Date Wed, 09 Dec 2015 09:34:11 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15048372#comment-15048372
] 

Juan Pablo Santos Rodríguez commented on JSPWIKI-924:
-----------------------------------------------------

Hi Steven,

lot of things on your last comments, so taking one by one. First and foremost, using your
policy:

{code}
grant principal org.apache.wiki.auth.authorize.Role "approved" { 
    permission org.apache.wiki.auth.permissions.PagePermission "*:*", "view,edit,modify,rename,upload";

    permission org.apache.wiki.auth.permissions.GroupPermission "*:*", "view,edit"; 
    permission org.apache.wiki.auth.permissions.WikiPermission "*", "createPages,login,editPreferences";

};

grant principal org.apache.wiki.auth.authorize.Role "unapproved" { 
    permission org.apache.wiki.auth.permissions.PagePermission "*:*", "view"; 
    permission org.apache.wiki.auth.permissions.GroupPermission "*:*", "view"; 
    permission org.apache.wiki.auth.permissions.WikiPermission "*", "view"; 
};
{code}

I was able to successfully attach files, so something is going on with the authentication
mechanism (note that you could simplify the policy as [some permissions imply others|https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security#section-Wiki.Admin.Security-ImpliedPermissions]).
Would you mind, on your custom authentication class, checking the roles assigned to a user
when you're on JSPWiki?  Specifically, when you're editing, renaming and attaching a file.
First case is to test a given permission, second one imlpies upload attachments, and the third
one to compare with the other two.

as for the xml files of users and groups, they're harmless, as you're using web auth. They
get created b/c they're used when you're not using container auth.

regarding the incorrect link, don't think it'll help you're case, since it just tells how
to configure your tomcat, but I'll edit my comment and fix it for future references.

br,
juan pablo

> Attachments fail using JAAS SSO container authentication
> --------------------------------------------------------
>
>                 Key: JSPWIKI-924
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-924
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Core & storage
>    Affects Versions: 2.10.1
>         Environment: CentOS 6.5 OS, Tomcat 7.0.42, 32-byte single line plain text attachment
test file.
>            Reporter: Steven Walsh
>            Priority: Minor
>         Attachments: jspwiki.policy-extract
>
>
> I'm trying to implement JSPWiki in a JAAS authentication 
> SSO environment. I have installed JSPWiki and made some 
> minor adjustments to the jspwiki.policy to account for 
> different user role names, and everything seems to be 
> working OK, except for one thing. None of the users 
> (including the administrator) can add attachments to 
> any of the pages. If I run the wiki standalone, (outside 
> JAAS), attachments work fine. 
> I'm using JSPWiki 2.10.1 with Tomcat 7.0.42 on a CentOS 
> 6.5 server. My attachment test file is a one-line 32 byte text file. 
> I have three basic user roles, all require JAAS authorization 
> to access the wiki. User roles are admin, approved (read 
> and write for most pages), and unapproved (read only). 
> I'm fairly confident that the authentication methods are 
> working properly as all page permissions are working as 
> expected for each user type. 
> But when any admin or approved user tries to add an 
> attachment to any page, they get redirected to an Error.jsp 
> page showing a java.lang.Exception. To try and track down 
> the error source, I rewrote the AttachmentServlet class 
> and added a number of additional debug messages. 
> Based on what I'm seeing, it appears to me that the error 
> is caused by the upload.parseRequest ( req ) returning 
> an empty List<FileItem> fileItems in the upload method. 
> I added a debug line to verify the contents of the request 
> and it is properly populated entering the upload method, 
> but it is consumed @ req.getParameter( "progressid" ). 
> I commented out the use of the progress bar and found 
> the request consumption moves to the context creation 
> @ m_engine.createContext( req, WikiContext.ATTACH ); 
> Once it is consumed there, there is nothing left for the 
> upload.parseRequest (req ) to read. 
> I realize that I consumed the request by reading it for the 
> debug message, but I only used it once per test run to 
> determine where it was consumed. In the following log 
> extract, that was at time 2015-11-25 14:05:41.892, 
> which was after the createContext and before the 
> upload.parseRequest. 
> I'm inexperienced with the doFilter mechanism, and I see 
> that it is part of the exception dump, and I don't know if 
> that is working or not, but since upload.parseRequest ( req ) 
> is returning an empty fileItems list, I suspect there is 
> something going on there. But I'm in over my head here. 
> This is the log extract, starting right after the container JAAS 
> has authorized the user. 
> ================= 
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG AttachmentServlet 168 - UploadServlet
initialized. Using /home/testwiki/storage//attach-tmp for temporary storage. 
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG WikiSession 851 - Custom com.apache.wiki.WikiSession.isIPV4Address
has been entered 
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG WikiServletFilter 164 - Executed
security filters for user=AdminUser, path=/TestWiki/attach 
> 2015-11-25 14:05:41.799 [http-bio-8080-exec-1] DEBUG AttachmentServlet 437 - AttachmentServlet
doPost entered 
> 2015-11-25 14:05:41.799 [http-bio-8080-exec-1] DEBUG AttachmentServlet 490 - AttachmentServlet
upload entered 
> 2015-11-25 14:05:41.820 [http-bio-8080-exec-1] DEBUG AttachmentServlet 509 - AttachmentServlet
upload; starting try 
> 2015-11-25 14:05:41.887 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.888 [http-bio-8080-exec-1] DEBUG WikiContext 248 - Creating WikiContext
for session ID=8974D02E77F76467ACB66B0EAC09C4D7; target=Main 
> 2015-11-25 14:05:41.892 [http-bio-8080-exec-1] DEBUG AttachmentServlet 515 - AttachmentServlet
upload; after wikiContext req= 
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 535 - AttachmentServlet
upload; fileItems.size()=0 
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 536 - AttachmentServlet
upload; before for loop 
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 579 - AttachmentServlet
upload; after for loop 
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 583 - AttachmentServlet
upload; fileItems size was 0; doing redirect to errorPage 
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 640 - AttachmentServlet
upload; after multiple catch, in finally 
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 451 - AttachmentServlet
doPost catch doing redirect 
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 454 - AttachmentServlet
doPost exiting 
> 2015-11-25 14:05:41.944 [http-bio-8080-exec-2] DEBUG WikiServletFilter 107 - Using ByteArrayResponseWrapper

> 2015-11-25 14:05:41.944 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG WikiSession 851 - Custom com.apache.wiki.WikiSession.isIPV4Address
has been entered 
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG WikiServletFilter 164 - Executed
security filters for user=AdminUser, path=/TestWiki/Error.jsp 
> 2015-11-25 14:05:41.963 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 - Looking up
WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... found it 
> 2015-11-25 14:05:41.965 [http-bio-8080-exec-2] DEBUG WikiContext 248 - Creating WikiContext
for session ID=8974D02E77F76467ACB66B0EAC09C4D7; target=Error 
> 2015-11-25 14:05:41.966 [http-bio-8080-exec-2] DEBUG JSPWiki 125 - Error.jsp exception
is: 
> 2015-11-25 14:05:41.967 [http-bio-8080-exec-2] ERROR WikiTagBase 84 - WikiTagBase pageContext
IS NOT NULL 
> 2015-11-25 14:05:41.970 [http-bio-8080-exec-2] ERROR WikiTagBase 97 - Tag failed 
> javax.servlet.jsp.JspException: WikiContext may not be NULL - serious internal problem!

> at org.apache.wiki.tags.WikiTagBase.doStartTag(WikiTagBase.java:90) 
> at org.apache.jsp.Error_jsp._jspx_meth_wiki_005fMessages_005f0(Error_jsp.java:193) 
> at org.apache.jsp.Error_jsp._jspService(Error_jsp.java:138) 
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) 
> at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432) 
> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390) 
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334) 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) 
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)

> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

> at org.apache.wiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:177) 
> at org.apache.wiki.ui.WikiJSPFilter.doFilter(WikiJSPFilter.java:121) 
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) 
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) 
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) 
> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:341) 
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) 
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)

> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)

> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) 
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
> at java.lang.Thread.run(Thread.java:724) 
> 2015-11-25 14:05:41.973 [http-bio-8080-exec-2] ERROR WikiTagBase 116 - Tag failed, check
logs: WikiContext may not be NULL - serious internal problem! 
> javax.servlet.jsp.JspException: Tag failed, check logs: WikiContext may not be NULL -
serious internal problem! 
> at org.apache.wiki.tags.WikiTagBase.doStartTag(WikiTagBase.java:98) 
> at org.apache.jsp.Error_jsp._jspx_meth_wiki_005fMessages_005f0(Error_jsp.java:193) 
> at org.apache.jsp.Error_jsp._jspService(Error_jsp.java:138) 
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) 
> at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432) 
> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390) 
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334) 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) 
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)

> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

> at org.apache.wiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:177) 
> at org.apache.wiki.ui.WikiJSPFilter.doFilter(WikiJSPFilter.java:121) 
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) 
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) 
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) 
> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:341) 
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) 
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)

> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)

> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) 
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
> at java.lang.Thread.run(Thread.java:724) 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message