jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.jaqu...@mac.com>
Subject Re: LDAP groups
Date Thu, 06 Mar 2008 05:35:59 GMT
David --

Your configuration looks fine. Does it work for you? It looks like it  
should...

Milt --JSPWiki does have a role called "Authenticated" that is granted  
to *every* user who successfully authenticates, regardless of the  
method used to authenticate (container-based or custom).  
"Authenticated" is the role name you should use in the jspwiki.policy  
file to denote authenticated users, and indeed, its name cannot be  
changed. It's what we call a "built-in" role, along with the  
"Anonymous" and "Asserted" roles. It might help you to think of these  
"states" rather than logical roles.

In addition to granting privileges to built-in roles (states), you can  
grant privileges to specific container-managed roles (such as those  
returned by an LDAP lookup). These are entered as grant blocks in  
jspwiki.policy. These container roles must also be entered into  
web.xml, preferably as "security-role" elements, or as "auth- 
constraint/role-name" elements. David has done both of these things in  
his examples: in jspwiki.policy you see a permission grant for the  
container role "tomcat-admin", and a corresponding auth-constraint/ 
role-name element for "tomcat-admin" in web.xml.

Milt, if I've failed to answer your (implied) question, please let me  
know and we can investigate further.

Andrew

On Mar 5, 2008, at 5:45 PM, David Gao wrote:

> Hi Milton,
>
> I did not change the policy for "Authenticated" as I think jspwiki  
> may need that internally. Hope my configuration below may help
>
> Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One  
> Directory Server)
>     <Realm   className="org.apache.catalina.realm.JNDIRealm"  
> debug="99"
>          connectionURL="ldap://localhost:389"
>          connectionName="cn=Directory Manager"
>          connectionPassword="password"
>          userPassword="userPassword"
>          userPattern="uid={0}, ou=People,dc=example,dc=com"
>          roleBase="ou=Groups,dc=example,dc=com"
>          roleName="cn"
>          roleSubtree="true"
>          roleSearch="(uniqueMember={0})"
>     />
> ----------------------------------------------------------------------------
> JSPWiki web.xml Security constraint
>
>      <auth-constraint>
>          <role-name>tomcat-admin</role-name>
>          <role-name>LGE-SH</role-name>
> ...................
>
>  <security-role>
>      <description>
>          This logical role includes all administrative users
>      </description>
>      <role-name>tomcat-admin</role-name>
>  </security-role>
> -------------------------------------------------------------------------------
> Security policy: (added the following as a new entry, no new policy  
> added for other LDAP groups)
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
>
> -------- Original Message --------
>> Can I just clarify that it is not possible to "rename" the  
>> Authenticated role in the policy file in order to map it to  
>> something else in the LDAP directory?
>>
>> Last time I investigated this, it seemed that jspwiki expected  
>> there to be a role named "Authenticated" that the user was a member  
>> of, regardless of what the policy file might call this role.
>>
>>
>> Andrew Jaquith wrote:
>>> David - your simple example works much better than my long-winded  
>>> explanation might have. :) Nice one.
>>>
>>> Ryan - the important point here is that you can add container  
>>> roles to your security policy file using the syntax in David's  
>>> example. You can use container roles in wiki page ACLs, too. To  
>>> make this work, you need to make sure you have a "role" element in  
>>> your web.xml for each LDAP group you are referencing.
>>>
>>> Andrew
>>>
>>> On Mar 5, 2008, at 16:59, David Gao <davidgjm@gmail.com> wrote:
>>
>>
>
>
> -- 
> David Gao (davidgjm@gmail.com)
>


Mime
View raw message