Return-Path: Delivered-To: apmail-incubator-jspwiki-user-archive@locus.apache.org Received: (qmail 79308 invoked from network); 25 Nov 2007 13:34:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 25 Nov 2007 13:34:44 -0000 Received: (qmail 22092 invoked by uid 500); 25 Nov 2007 13:34:32 -0000 Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org Received: (qmail 22082 invoked by uid 500); 25 Nov 2007 13:34:32 -0000 Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-user@incubator.apache.org Delivered-To: mailing list jspwiki-user@incubator.apache.org Received: (qmail 22073 invoked by uid 99); 25 Nov 2007 13:34:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Nov 2007 05:34:32 -0800 X-ASF-Spam-Status: No, hits=1.5 required=10.0 tests=SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of Janne.Jalkanen@ecyrd.com designates 193.64.5.122 as permitted sender) Received: from [193.64.5.122] (HELO mail.ecyrd.com) (193.64.5.122) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Nov 2007 13:34:31 +0000 Received: from [192.168.0.13] (cs181005170.pp.htv.fi [82.181.5.170]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ecyrd.com (Postfix) with ESMTP id C0FF448279 for ; Sun, 25 Nov 2007 15:34:10 +0200 (EET) Mime-Version: 1.0 (Apple Message framework v752.3) In-Reply-To: <87bq9iqxmn.fsf@iki.fi> References: <2DEDE6B1-5714-40A0-BACE-A0BA499220E1@ecyrd.com> <87fxyuqyp9.fsf_-_@iki.fi> <772BAEC8-475D-4D7A-B1A9-7F5B53B174F0@ecyrd.com> <87bq9iqxmn.fsf@iki.fi> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <02E6C2FD-6CE3-4FD9-A455-BA20716156A9@ecyrd.com> Content-Transfer-Encoding: 7bit From: Janne Jalkanen Subject: Re: Anonymous user can see ACL'd pages Date: Sun, 25 Nov 2007 15:34:03 +0200 To: jspwiki-user@incubator.apache.org X-Mailer: Apple Mail (2.752.3) X-Virus-Checked: Checked by ClamAV on apache.org Mm... Then the reason is probably that you're using Asserted (which, for almost all intents and purposes, is equal to Anonymous). Does it work with Authenticated? /Janne On 25 Nov 2007, at 15:10, Kalle Kivimaa wrote: > Yes, because I want *most* of my wiki to be visible to everybody, and > I understood that an ACL takes precedence over the policy file. > >> From http://doc.jspwiki.org/2.4/wiki/Security > "By default, wiki pages do not have access control lists. When a page > doesn't have an ACL, the default security policy for the page > applies." > > I read that as saying that the security policy is *only* used if there > is no ACL. > > Janne Jalkanen writes: > >> Um. You're granting read permissions to Anonymous in your policy >> file. >> >> /Janne >> >> On 25 Nov 2007, at 14:47, Kalle Kivimaa wrote: >> >>> OK, after finally getting my Tomcat to actually use the security >>> policy correctly, I still have the problem of the page ACL's not >>> being >>> used. The JAAS config file is loaded correctly, as is the policy >>> file >>> (policy file access restrictions work correctly). >>> >>> Any ideas what I'm doing wrong? >>> >>> Page header: >>> [{ALLOW view Asserted}] >>> >>> Policy file: >>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" { >>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission >>> "*:*", "view"; >>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission >>> "*", "editPreferences"; >>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission >>> "*", "editProfile"; >>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission >>> "*", "login"; >>> }; >>> >>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" { >>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission >>> "*", "login"; >>> }; >>> >>> Log file: >>> 2007-11-25 14:42:58,883 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http:// >>> localhost:8180/kalle/Wiki.jsp - Do we need to log the user in? false >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp >>> kalle:http://localhost:8180/kalle/Wiki.jsp - page=TaloInfo null >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.WikiSession kalle:/kalle/Wiki.jsp kalle:http:// >>> localhost:8180/kalle/Wiki.jsp - Looking up WikiSession for NULL >>> HttpRequest: returning guestSession() >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http:// >>> localhost:8180/kalle/Wiki.jsp - Creating WikiContext for session ID= >>> (null); target=TaloInfo >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http:// >>> localhost:8180/kalle/Wiki.jsp - Do we need to log the user in? false >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.parser.JSPWikiMarkupParser kalle:/kalle/Wiki.jsp >>> kalle:http://localhost:8180/kalle/Wiki.jsp - page=TaloInfo, ACL = >>> ALLOW view Asserted >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp >>> kalle:http://localhost:8180/kalle/Wiki.jsp - Adding new acl entry >>> for view >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp >>> kalle:http://localhost:8180/kalle/Wiki.jsp - user = Asserted: >>> (("com.ecyrd.jspwiki.auth.permissions.PagePermission","kalle:TaloInf >>> o" >>> ,"view")) >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.parser.JSPWikiMarkupParser kalle:/kalle/Wiki.jsp >>> kalle:http://localhost:8180/kalle/Wiki.jsp - user = Asserted: >>> (("com.ecyrd.jspwiki.auth.permissions.PagePermission","kalle:TaloInf >>> o" >>> ,"view")) >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.WikiSession kalle:/kalle/Wiki.jsp kalle:http:// >>> localhost:8180/kalle/Wiki.jsp - Looking up WikiSession for NULL >>> HttpRequest: returning guestSession() >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http:// >>> localhost:8180/kalle/Wiki.jsp - Creating WikiContext for session ID= >>> (null); target=TaloInfo >>> 2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http:// >>> localhost:8180/kalle/Wiki.jsp - Do we need to log the user in? false >>> 2007-11-25 14:42:58,889 [http-8180-Processor22] DEBUG >>> com.ecyrd.jspwiki.WikiEngine kalle:/kalle/Wiki.jsp kalle:http:// >>> localhost:8180/kalle/Wiki.jsp - Page TaloInfo rendered, took >>> 0:00:00.005 >>> >>> -- >>> * Sufficiently advanced magic is indistinguishable from technology >>> (T.P) * >>> * PGP public key available @ http://www.iki.fi/ >>> killer * >> >> > > -- > * Sufficiently advanced magic is indistinguishable from technology > (T.P) * > * PGP public key available @ http://www.iki.fi/ > killer *