jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milton Taylor <mcto...@gmail.com>
Subject Is the Authenticated role name "hard wired?"
Date Mon, 21 Jan 2008 04:35:58 GMT
I have just upgraded our internal wiki to 2.6.1-cvs-7 and am puzzled by 
something.

I'm using container based authentication (under jBoss). I have set this 
up to use both ldap and jdbc to authenticate users. LDAP holds the 
internal users, and the database holds the external users. The initial 
role I gave the external users was "WikiUser". This role is in turn 
specified in both web.xml and the jspwiki.policy file, and is supposed 
to give read-only access to the wiki. In contrast, the "Authenticated" 
role is allowed read-write access and is used by the internal users.

What I have found though is that the system behaves as if every user who 
has authenticated successfully is implicitly a member of role 
'Authenticated' even though the users had not been  explicitly given 
this role. I was able to confirm this by switching things around, so 
that the Authenticated role only gave them view privileges, and to get 
read/write access required being a member of role 'WikiEditor', which 
had its own rights granted in the policy file.

Is this intentional?  i.e. Changing the standard role names in the 
policy file to something else doesn't necessarily work correctly.

Also, I assume that privileges are additive, in that if you are a member 
of some extra role, you will get whatever rights are granted by that 
role in the policy file in addition to whatever rights are granted by 
the Authenticated role?

Thanks,
Milt.



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message