jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ENRICO CARMONA <e.carm...@hsgerardo.org>
Subject Re: LDAP authentication problem for jspwiki 2.8.1 on windows machine
Date Thu, 15 Jan 2009 12:57:52 GMT
Hi, 
yes Authenticated role is in built in jspwiki, but your container must
return something to let jspwiki grant permissions, before jspwiki assigns
Authenticated role.
My <url-pattern> block is really minimal, only to activate container
authentication, then security is configured in jspwiki.policy

my web.xml:

   <!-- to have container authentication: 
   (from http://doc.jspwiki.org/2.4/wiki/Security )
   When JSPWiki starts up, it parses the JSPWiki's web application
descriptor (WEB-INF/web.xml) 
   and identifies whether certain constraints exist. Specifically, it
checks to see if 
   a logical role is required to access /Delete.jsp and Login.jsp. 
   If you have uncommented the <security-constraint> block, this will be
true, 
   and JSPWiki will conclude that is should use container authentication
instead of custom.
   -->

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Administrative
Area</web-resource-name>
           <url-pattern>/Delete.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>ADMINISTRATORS</role-name>
       </auth-constraint>
   </security-constraint>
      
   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Authenticated
area</web-resource-name>
           <url-pattern>/Login.jsp</url-pattern>
       </web-resource-collection>

       <web-resource-collection>
           <web-resource-name>Read-only Area</web-resource-name>
           <http-method>DELETE</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <auth-constraint>
       <role-name>ADMINISTRATORS</role-name>
       <role-name>user</role-name>
       </auth-constraint>

   </security-constraint>

   <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
           <form-login-page>/LoginForm.jsp</form-login-page>
           <form-error-page>/LoginForm.jsp</form-error-page>
       </form-login-config>
   </login-config>

   <security-role>
       <description>
           Administrators
       </description>
       <role-name>ADMINISTRATORS</role-name>
   </security-role>
   
   <security-role>
       <description>
           All users
       </description>
       <role-name>user</role-name>
   </security-role>
   
Regards,
Enrico

"TruptiP" <trupti.p27@gmail.com> scritto:
> 
> Hi,
> I tried it out. But this also doesnt work out.
> 
> But the problem is same as it is. Even the user is authenticated.
Forbidden
> message comes.
> 
> I think Authenticated role is in built in jspwiki so even though
> Authenticated group is not present in LDAP it should work. 
> 
> The Authentication works as usual for group members addition and
deletion.
> 
> The problem is only with the pages which we mentioned in url-pattern of
> web.xml.
> 
> Thanks in advance.
> 
> Regards,
> Trupti Patil
> 
> 
> 
> Enrico Maria Carmona wrote:
>> 
>> Hi!
>> 
>> I've 2.6.x but this may help you
>> 
>> grant a login privilege to "all" role:
>> 
>> my jspwiki.policy:
>> 
>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
>>     permission com.ecyrd.jspwiki.auth.permissions.PagePermission
"*:*",
>> "view";
>>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*",
>> "editPreferences";
>>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*",
>> "editProfile";
>>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*",
>> "login";
>>     permission com.ecyrd.jspwiki.auth.permissions.PagePermission
"*:*",
>> "modify";
>> };
>> 
>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>>     permission com.ecyrd.jspwiki.auth.permissions.PagePermission
"*:*",
>> "modify";
>>     permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:*",
>> "view";
>>     permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>>     permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*",
>> "createPages,createGroups";
>> };
>> 
>> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>>     permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
>> };
>> 
>> If you didn't have any role from LDAP you can (trick!) use a property of
>> LDAP like a role. 
>> I use: userRoleName="objectClass". It returns 'user' as role.
>> 
>> my server.xml:
>> 
>>      <Realm className="org.apache.catalina.realm.JNDIRealm"
>>           debug="99"
>>          connectionURL="ldap://ldapserver:389"
>>      connectionName="UserCanReadLDAP"
>>      connectionPassword="secret"
>>      referrals="follow"
>>          userBase="CN=Users,DC=example,DC=com"
>>      userSearch="(samaccountname={0})"
>>          userSubtree="true"
>>          roleBase="CN=Users,DC=example,DC=com"
>>          roleName="cn"
>>          roleSearch="(member={0})" 
>>          roleSubtree="true"
>>      userRoleName="objectClass"
>>        />
>> 
>> Then map 'user' role in jspwiki (my web.xml):
>> 
>>        <auth-constraint>
>>        <role-name>user</role-name>
>>        </auth-constraint>
>> 
>>    <security-role>
>>        <description>
>>            All users
>>        </description>
>>        <role-name>user</role-name>
>>    </security-role>
>> 
>> So, everyone has a role 'user' and can login (in my configuration not
>> also)
>> 
>> Hope this help,
>> 
>> Enrico
>> 
>> ---------
>> "TruptiP" <trupti.p27@gmail.com> scritto:
>> 
>> Hi,
>> 
>> I have installed JSPWiki 2.8.1 on my desktop machine. It works fine when
I
>> use default userdatabase for authentication and authorization.
>> 
>> Now I am using LDAP authentication .... I used below specifications in
>> server.xml
>> 
>> <Realm className="org.apache.catalina.realm.JNDIRealm"
>> connectionURL="ldap://server:389"
>> connectionName="uid=admin,ou=Directory Administrators,dc=example,dc=com"
>> connectionPassword="secret"
>> userBase="ou=domain,dc=example,dc=com"
>> userSubtree="true"
>> userSearch="(uid={0})"
>> />
>> 
>> In web.xml of JSPwiki
>> 
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Authenticated area</web-resource-name>
>> <url-pattern>/Edit.jsp</url-pattern>
>> <url-pattern>/Comment.jsp</url-pattern>
>> <url-pattern>/Login.jsp</url-pattern>
>> <url-pattern>/NewGroup.jsp</url-pattern>
>> <url-pattern>/Rename.jsp</url-pattern>
>> <url-pattern>/Upload.jsp</url-pattern>
>> <url-pattern>/Delete.jsp</url-pattern>
>> <http-method>DELETE</http-method>
>> <http-method>GET</http-method>
>> <http-method>HEAD</http-method>
>> <http-method>POST</http-method>
>> <http-method>PUT</http-method>
>> </web-resource-collection>
>> 
>> <web-resource-collection>
>> <web-resource-name>Read-only Area</web-resource-name>
>> <url-pattern>/attach</url-pattern>
>> <http-method>DELETE</http-method>
>> <http-method>POST</http-method>
>> <http-method>PUT</http-method>
>> </web-resource-collection>
>> 
>> <auth-constraint>
>> <role-name>Authenticated</role-name>
>> </auth-constraint>
>> 
>> When I login in jspwiki I get forbidden page and after pressing "back"
tab
>> and refresh my login is shown as authenticated.... But I am only able to
>> view the pages when I go to edit the page
>> 
>> G’day (anonymous guest) will be displayed at corner and it not
>> authenticate
>> me to update the page. I haven't use any ACL's in any page. I have given
>> all
>> authorization to authenticated user.
>> 
>> One more important point is I dont have any group in LDAP.
>> -- 
>> View this message in context:
>>
>>
http://www.nabble.com/LDAP-authentication-problem-for-jspwiki-2.8.1-on-windows-machine-tp21473087p21473087.html
>> Sent from the JspWiki - User mailing list archive at Nabble.com.
>> 
>> 
>> 
>> 
> 
> -- 
> View this message in context:
>
http://www.nabble.com/LDAP-authentication-problem-for-jspwiki-2.8.1-on-windows-machine-tp21473087p21475881.html
> Sent from the JspWiki - User mailing list archive at Nabble.com.
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message