jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk Frederickx <dirk.frederi...@gmail.com>
Subject Re: How to hide content for some users
Date Tue, 03 Jul 2012 19:54:12 GMT
Did you check the standard If-plugin ?
http://www.jspwiki.org/wiki/IfPlugin

dirk


On Tue, Jul 3, 2012 at 1:25 PM, Rösch, Christian <
Christian.Roesch@icongmbh.de> wrote:

> Hello Foster,
>
> yes that seems tob e what I'm looking for.
> So does it work already with JSPWiki 2.8?
>
> If not I'll have a look at it and see if I could adapt it to the newest
> version of JSPWiki.
>
>
>
> --
> Christian Rösch                http://www.icongmbh.de
> Application Development
> icon Systemhaus GmbH           Tel. +49(711)806098-0
> Sophienstraße 40
> 70178 Stuttgart                Fax. +49(711)806098-299
>
> Geschäftsführer: Uwe Seltmann
> HRB Stuttgart 17655
> USt-IdNr.: DE 811944121
>
> +++++++++++++++++++++++++++++++++++++++++
> icon Events: www.icongmbh.de/events.html
> +++++++++++++++++++++++++++++++++++++++++
>
>
> -----Ursprüngliche Nachricht-----
> Von: Foster Schucker [mailto:Foster@Schucker.org]
> Gesendet: Dienstag, 3. Juli 2012 13:09
> An: jspwiki-user@incubator.apache.org
> Betreff: Re: How to hide content for some users
>
> I had written a plugin that would allow partial page displays to be shown,
> I think this is what you are looking for.
>
> If it is, let me know and I'll mail you the code.  Its for a very old
> version of JSPWiki, when the base went off on a different direction for
> page auth it was too hard to fit into the new scheme.
>
> Foster
>
> --------
> AuthPlugin
>
> The purpose of the Auth Plugin is to allow page level security for 2.0.x
> JSPWiki. It is an Authorization plugin, it uses Container Managed Security <
> http://localhost:8080/schucker/Wiki.jsp?page=ContainerManagedSecurity>
> to perform the Authentication (and to help control access to some of the
> JSP files) (Also see Auth Plugin Detail
> <http://localhost:8080/schucker/Wiki.jsp?page=AuthPluginDetail>) (The
> Auth Test <http://localhost:8080/schucker/Wiki.jsp?page=AuthTest> page
> has some samples)
>
> [{Auth allow='admin' deny='Janne' edit='editor'}]
>
>
>         Parameters
>
> *allow* (optional)[1]
> <http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-1>
>     a list of user names and/or roles that have access to this page[1]
>     <
> http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-1>.
>
>
> *deny* (optional)
>     a list of user names and/or roles that should be denied access to
>     this page
>
> *edit* (optional)
>     a list of user names and/or roles that have edit access to this page
>
> In the example given, everyone in the admin group has access, except for
> Janne and those people that have the 'editor' role can edit this page.
>
> ------------------------------------------------------------------------
>
>
>         How to use it
>
> There are two different ways to use Auth. First is to control the
> viewing of a block of text inside of a page:
>
> Everyone will see this text
> [{Auth allow='editor'
>
> Only those people with ''editor'' roles will see this text
> }]
> This text will also be seen by everyone.
>
> Only the text inside the body of the Auth plugin is controlled. The
> plugin can be used any number of times on a page. (Plugins can be
> nested, so you can do:
>
> Everyone will see this text
> [{Auth allow='editor'
>
> Only those people with ''editor'' roles will see this text
> [{Auth allow='admin'
>
> Only those people with ''editor'' and ''admin'' roles will see this text
> }]
> Only ''editors'' will see this line
> }]
> This text will also be seen by everyone.
>
> (A common error is not having the blank line after the Auth plugin and
> not having matched plugin closes)
>
> The second way is to control access to the entire page.
>
> [{Auth allow='ATeam' deny='BA' edit='ATeam'}]
>
> Plane trip for next week is on, I love it when a plan comes together!
>
> Everyone on the ATeam except for BA can see this page, and all of the
> ATeam can edit this page.
> ------------------------------------------------------------------------
>
>
>         How it works
>
> Auth Plugin -- Simply it takes the parameters passed and looks in the
> user and role list to see if they match[2]
> <http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-2
> >:
>
> if (checkthisguy.isEqualIgnoreCase(request.getRemoteUser()) {..}
> if (req.isUserInRole(checkthisguy)) {..}
>
> If there is not a match for the allow a AssertionError("Not allowed to
> see this page") is thrown. This error is caught by the upper most layer
> of the container, and it will produce an error page with this message on
> it. (Tested with Resin and Weblogic, your container may or may not work)
>
> If the user is allowed to view the page then an entry is also made in
> the session variable *pageview*. A similar entry is made in *pageedit*
> if they can edit the page.
>
> In most cases the user will not be able to click on the /Edit this page/
> link since if they can's see the page, they are looking at an error page
> that does not have a link on it.
>
> While */Security through Obscurity/* works for some, some users may
> elect to put the entire URL in by hand. To protect against this you will
> need to edit your Edit.jsp file to check and see if they are allowed to
> edit this file. And while you are at it, you should also change the
> Diff.jsp and PageInfo.jsp files.
>
> Finally, things like Recent Changes will still find the /hidden/ pages
> for a user. This means that they will know there is a page called
> *TopSecretPlans* even though they can't view it. If this is a concern to
> you, you can do one of two things:
>
>  1. Call your /hidden/ pages something like *Hidden_TopSecretPlans* and
>     change your Recent Changes to ignore files that start with Hidden_.
>  2. Use the new 2.1 Wiki with the full featured Authorization And
>     Authentication.
>
> ------------------------------------------------------------------------
>
>
>         Disclaimer
>
> This is how I do it, you may not get it to work without some (high)
> level of effort on your part. I can try to help you, but plan to spend
> some time, this is not just a plugin you can drop in and use --
> FosterSchucker
> <http://localhost:8080/schucker/Wiki.jsp?page=FosterSchucker>
> ------------------------------------------------------------------------
>
>
>         3 August 2004
>
> I've uploaded a new version that fixes a bug if there are many roles in
> the list. I've also made it a static method and move all of the null
> checking,wildcards,etc. into the method *userInList*. This allows Auth
> to be safely called from other places (like tags, pages, etc.)
>
> I've uploaded the source to the Auth plugin and the source for AuthTag,
> if you want a compiled version (jar file) let me know.
>
> New exposed method
>
> public static boolean userInList(HttpServletRequest request, String
> accesslist, String username)
>
> sample call
>
> if (Auth.userInList(request,"editor,admin,superuser",null) { ... }
>
> Will check to see if this user is in any of those roles.
>
> TLD for AuthTag
>
>    <tag>
>      <name>Auth</name>
>      <tagclass>com.ecyrd.jspwiki.tags.AuthTag</tagclass>
>      <bodycontent>JSP</bodycontent>
>      <attribute>
>         <name>allow</name>
>         <required>false</required>
>      </attribute>
>      <attribute>
>         <name>deny</name>
>         <required>false</required>
>      </attribute>
>    </tag>
>
> ------------------------------------------------------------------------
> [#1]The default in the code is to deny access to a page by default.
> While the allow parameter is not /required/ it's a good idea to have it
> in there, you can make a page that no user can see.
> [#2]The site Administrator is still responsible for putting the user,
> password and role(s) into the system.
>
> Category Third Party Plugin
> <http://localhost:8080/schucker/Wiki.jsp?page=CategoryThirdPartyPlugin>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message