You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by Bhavani <bh...@yahoo.com> on 2009/04/09 22:44:23 UTC
Allow tag does not restrict access
HI,
We recently started implementing jspwiki. JAAS security is enabled and everything works fine. But I am not able to control access to page edits using the allow tag. Also everyone is able to edit the admin group. Even people who are not members of the group can edit the group. So please help me with the following questions.
1. What am I missing that the allow tag is not working as it should be ?
2. Is there a way to control non-members from editing the groups?
-Bhavani
Re: Allow tag does not restrict access
Posted by Bhavani <bh...@yahoo.com>.
Hi,
Any ideas on how to solve this issue? If you need more information, please let me know.
-Bhavani
Re: Allow tag does not restrict access
Posted by Bhavani <bh...@yahoo.com>.
Here is what I have changed:
------------------------------------------------------
jspwiki.policy: Commented out all the permissions for All, Ananymous and Asserted roles and just kept the Admin and Authenticated roles.
grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
};
grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
------------------------------------------------------
jspwiki.properties: Using a custom login module and enabled JAAS security:
jspwiki.loginModule.class =com.ecyrd.jspwiki.auth.login.UserDatabaseLoginModule
jspwiki.security =jaas
------------------------------------------------------
web.xml: Added a filter and mappings for authenticating using SSO
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>com.hgst.wiki.sso.SSOAuthenticationFilter</filter-class>
<init-param>
<param-name>redirectUrl</param-name>
<param-value>/sso/wiki</param-value>
</init-param>
<init-param>
<param-name>logoutUrl</param-name>
<param-value>/portal/site/hiwire/template.LOGOUT/action.process/</param-value>
</init-param>
<init-param>
<param-name>hiwireUrl</param-name>
<param-value>/portal/site/hiwire</param-value>
</init-param>
</filter>
<filter-mapping >
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
------------------------------------------------------
The page I am trying to view has the following content:
[{ALLOW view Administrator}]
[{ALLOW edit Administrator}]
This is a wiki admin group.
------------------------------------------------------
Pls let me know if you need any other info.
-Bhavani
--- On Fri, 4/10/09, Janne Jalkanen <ja...@ecyrd.com> wrote:
From: Janne Jalkanen <ja...@ecyrd.com>
Subject: Re: Allow tag does not restrict access
To: jspwiki-user@incubator.apache.org
Date: Friday, April 10, 2009, 1:14 PM
Can you please provide more information about your configuration?
What did you change from the stock setup?
/Janne
Re: Allow tag does not restrict access
Posted by Janne Jalkanen <ja...@ecyrd.com>.
Can you please provide more information about your configuration?
What did you change from the stock setup?
/Janne
On 10 Apr 2009, at 00:13, Bhavani wrote:
> We are using version 2.8.1
>
> -Bhavani
>
>
>
Re: Allow tag does not restrict access
Posted by Bhavani <bh...@yahoo.com>.
We are using version 2.8.1
-Bhavani
Re: Allow tag does not restrict access
Posted by Janne Jalkanen <ja...@ecyrd.com>.
Which version of JSPWiki do you use?
/Janne
On 9 Apr 2009, at 23:44, Bhavani wrote:
> HI,
>
> We recently started implementing jspwiki. JAAS security is enabled
> and everything works fine. But I am not able to control access to
> page edits using the allow tag. Also everyone is able to edit the
> admin group. Even people who are not members of the group can edit
> the group. So please help me with the following questions.
>
> 1. What am I missing that the allow tag is not working as it should
> be ?
> 2. Is there a way to control non-members from editing the groups?
>
> -Bhavani
>
>
>
>
RE: Allow tag does not restrict access
Posted by "Carlson, Eric R" <er...@kroger.com>.
Harry,
The page is very simple. Here it is :
-----------------------------
[{ALLOW view #955203}]
[{ALLOW edit #955203}]
Only #955203 should be allowed to view or edit this page.
----------------------------------
I realize the view and edit are sort of redundant, but I figured it should still work.
Eric R. Carlson
Eric.Carlson@kroger.com
(513)-387-7739
-----Original Message-----
From: Harry Metske [mailto:harry.metske@gmail.com]
Sent: Friday, April 10, 2009 12:54 PM
To: jspwiki-user@incubator.apache.org
Subject: Re: Allow tag does not restrict access
Eric,Bhavani,
could you also paste the relevant parts of the page you try to protect ?
So basically the ALLOW tag you are using .
Harry
2009/4/10 Carlson, Eric R <er...@kroger.com>
> I've been having the exact same problem, and haven't been making any
> headway on it, so I've gone over the FAQ to see if I can find the cause.
>
> First, I'm running JSPWiki 2.8.1.
>
> I have two user-ids I can access. One is defined as an administrator, the
> second one isn't. I was able to verify this by logging on to both of them,
> going into 'My Prefs', and clicking on the 'Profile' tab. UserA shows :
> Roles - All, Authenticated; Groups - None. UserB shows : Roles - All,
> Authenticated; Groups - Admin.
>
> I am not currently able to run the SecurityConfig.jsp application (see my
> other message), so I can't include the output here.
>
> I have enabled the security log, and set the logging level to DEBUG.
> While I see messages in the log each time I log in, I don't see any sort of
> messages in the security when I access a new page. I'm not sure if I should
> expect to see such messages, but the FAQ says to check the security log, and
> I don't see anything there, other than logon messages.
>
> I've also cleared all cookies and temporary internet files, and still get
> the same problem.
>
> Here's what I have configured in jspwiki.policy :
>
> --------------------------------
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
> "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile"
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
> "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
> "view";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> };
>
> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> -------------------------------
>
> Eric R. Carlson
>
> Eric.Carlson@kroger.com
>
> -----Original Message-----
> From: Harry Metske [mailto:harry.metske@gmail.com]
> Sent: Friday, April 10, 2009 4:23 AM
> To: jspwiki-user@incubator.apache.org; bhanu0608@yahoo.com
> Subject: Re: Allow tag does not restrict access
>
> Since we get quite a few of these questions, I started a FAQ on
> Authorization:
>
> http://www.jspwiki.org/wiki/FAQAuthorization
>
> feel free to add content........
>
> Harry
>
> 2009/4/9 Bhavani <bh...@yahoo.com>
>
> > HI,
> >
> > We recently started implementing jspwiki. JAAS security is enabled and
> > everything works fine. But I am not able to control access to page edits
> > using the allow tag. Also everyone is able to edit the admin group. Even
> > people who are not members of the group can edit the group. So please
> help
> > me with the following questions.
> >
> > 1. What am I missing that the allow tag is not working as it should be ?
> > 2. Is there a way to control non-members from editing the groups?
> >
> > -Bhavani
> >
> >
> >
> >
> >
>
> This e-mail message, including any attachments, is for the sole use of the
> intended recipient(s) and may contain information that is confidential and
> protected by law from unauthorized disclosure. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Allow tag does not restrict access
Posted by Harry Metske <ha...@gmail.com>.
Eric,Bhavani,
could you also paste the relevant parts of the page you try to protect ?
So basically the ALLOW tag you are using .
Harry
2009/4/10 Carlson, Eric R <er...@kroger.com>
> I've been having the exact same problem, and haven't been making any
> headway on it, so I've gone over the FAQ to see if I can find the cause.
>
> First, I'm running JSPWiki 2.8.1.
>
> I have two user-ids I can access. One is defined as an administrator, the
> second one isn't. I was able to verify this by logging on to both of them,
> going into 'My Prefs', and clicking on the 'Profile' tab. UserA shows :
> Roles - All, Authenticated; Groups - None. UserB shows : Roles - All,
> Authenticated; Groups - Admin.
>
> I am not currently able to run the SecurityConfig.jsp application (see my
> other message), so I can't include the output here.
>
> I have enabled the security log, and set the logging level to DEBUG.
> While I see messages in the log each time I log in, I don't see any sort of
> messages in the security when I access a new page. I'm not sure if I should
> expect to see such messages, but the FAQ says to check the security log, and
> I don't see anything there, other than logon messages.
>
> I've also cleared all cookies and temporary internet files, and still get
> the same problem.
>
> Here's what I have configured in jspwiki.policy :
>
> --------------------------------
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
> "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile"
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
> "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
> "view";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> };
>
> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> -------------------------------
>
> Eric R. Carlson
>
> Eric.Carlson@kroger.com
>
> -----Original Message-----
> From: Harry Metske [mailto:harry.metske@gmail.com]
> Sent: Friday, April 10, 2009 4:23 AM
> To: jspwiki-user@incubator.apache.org; bhanu0608@yahoo.com
> Subject: Re: Allow tag does not restrict access
>
> Since we get quite a few of these questions, I started a FAQ on
> Authorization:
>
> http://www.jspwiki.org/wiki/FAQAuthorization
>
> feel free to add content........
>
> Harry
>
> 2009/4/9 Bhavani <bh...@yahoo.com>
>
> > HI,
> >
> > We recently started implementing jspwiki. JAAS security is enabled and
> > everything works fine. But I am not able to control access to page edits
> > using the allow tag. Also everyone is able to edit the admin group. Even
> > people who are not members of the group can edit the group. So please
> help
> > me with the following questions.
> >
> > 1. What am I missing that the allow tag is not working as it should be ?
> > 2. Is there a way to control non-members from editing the groups?
> >
> > -Bhavani
> >
> >
> >
> >
> >
>
> This e-mail message, including any attachments, is for the sole use of the
> intended recipient(s) and may contain information that is confidential and
> protected by law from unauthorized disclosure. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>
Re: Allow tag does not restrict access
Posted by Janne Jalkanen <Ja...@ecyrd.com>.
I was just waiting to see if the problems that had cropped up were
real or my deployment issues. I guess it could be launched.
/Janne
On Apr 13, 2009, at 22:41 , Harry Metske wrote:
> Well,
>
> you can find it here :
> http://www.ecyrd.com/~jalkanen/JSPWiki/2.8.2/JSPWiki-2.8.2-bin.zip
>
> Actually, we don't have a link to this on our Download page,
> shouldn't it be
> there ?
>
> Harry
>
> 2009/4/10 Carlson, Eric R <er...@kroger.com>
>
>> Andrew,
>>
>> I guess I'm confused - I'm running version 2.8.1, which I
>> thought is
>> the same version that has been out there since release... The
>> download page
>> says it dates from 21-Nov-2008. Are you referring to a different
>> version,
>> version 3?
>>
>> Eric R. Carlson
>>
>> Eric.Carlson@kroger.com
>> (513)-387-7739
>>
>>
>> -----Original Message-----
>> From: Andrew Jaquith [mailto:andrew.r.jaquith@gmail.com]
>> Sent: Friday, April 10, 2009 12:49 PM
>> To: jspwiki-user@incubator.apache.org
>> Subject: Re: Allow tag does not restrict access
>>
>> Eric -- you've provided me with enough information to try to verify
>> your issue. I'll try to do that over the next few days.
>>
>> In the meantime, could you try the latest nightly build, and see if
>> it
>> produces different results?
>>
>> Regards, Andrew
>>
>> On Fri, Apr 10, 2009 at 10:35 AM, Carlson, Eric R
>> <er...@kroger.com> wrote:
>>> I've been having the exact same problem, and haven't been making any
>> headway on it, so I've gone over the FAQ to see if I can find the
>> cause.
>>>
>>> First, I'm running JSPWiki 2.8.1.
>>>
>>> I have two user-ids I can access. One is defined as an
>>> administrator,
>> the second one isn't. I was able to verify this by logging on to
>> both of
>> them, going into 'My Prefs', and clicking on the 'Profile' tab.
>> UserA shows
>> : Roles - All, Authenticated; Groups - None. UserB shows : Roles
>> - All,
>> Authenticated; Groups - Admin.
>>>
>>> I am not currently able to run the SecurityConfig.jsp application
>>> (see my
>> other message), so I can't include the output here.
>>>
>>> I have enabled the security log, and set the logging level to DEBUG.
>> While I see messages in the log each time I log in, I don't see any
>> sort of
>> messages in the security when I access a new page. I'm not sure if
>> I should
>> expect to see such messages, but the FAQ says to check the security
>> log, and
>> I don't see anything there, other than logon messages.
>>>
>>> I've also cleared all cookies and temporary internet files, and
>>> still get
>> the same problem.
>>>
>>> Here's what I have configured in jspwiki.policy :
>>>
>>> --------------------------------
>>>
>>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*",
>> "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile"
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>>> };
>>>
>>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>>> };
>>>
>>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
>>> };
>>>
>>> grant principal com.ecyrd.jspwiki.auth.authorize.Role
>>> "Authenticated" {
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*",
>> "modify,rename";
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:*",
>> "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>>> };
>>>
>>> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
>>> };
>>>
>>> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
>>> };
>>>
>>> -------------------------------
>>>
>>> Eric R. Carlson
>>>
>> Eric.Carlson@kroger.com
>>>
>>> -----Original Message-----
>>> From: Harry Metske [mailto:harry.metske@gmail.com]
>>> Sent: Friday, April 10, 2009 4:23 AM
>>> To: jspwiki-user@incubator.apache.org; bhanu0608@yahoo.com
>>> Subject: Re: Allow tag does not restrict access
>>>
>>> Since we get quite a few of these questions, I started a FAQ on
>>> Authorization:
>>>
>>> http://www.jspwiki.org/wiki/FAQAuthorization
>>>
>>> feel free to add content........
>>>
>>> Harry
>>>
>>> 2009/4/9 Bhavani <bh...@yahoo.com>
>>>
>>>> HI,
>>>>
>>>> We recently started implementing jspwiki. JAAS security is
>>>> enabled and
>>>> everything works fine. But I am not able to control access to
>>>> page edits
>>>> using the allow tag. Also everyone is able to edit the admin
>>>> group. Even
>>>> people who are not members of the group can edit the group. So
>>>> please
>> help
>>>> me with the following questions.
>>>>
>>>> 1. What am I missing that the allow tag is not working as it
>>>> should be ?
>>>> 2. Is there a way to control non-members from editing the groups?
>>>>
>>>> -Bhavani
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> This e-mail message, including any attachments, is for the sole
>>> use of
>> the intended recipient(s) and may contain information that is
>> confidential
>> and protected by law from unauthorized disclosure. Any unauthorized
>> review,
>> use, disclosure or distribution is prohibited. If you are not the
>> intended
>> recipient, please contact the sender by reply e-mail and destroy
>> all copies
>> of the original message.
>>>
>>
Re: Allow tag does not restrict access
Posted by Harry Metske <ha...@gmail.com>.
Well,
you can find it here :
http://www.ecyrd.com/~jalkanen/JSPWiki/2.8.2/JSPWiki-2.8.2-bin.zip
Actually, we don't have a link to this on our Download page, shouldn't it be
there ?
Harry
2009/4/10 Carlson, Eric R <er...@kroger.com>
> Andrew,
>
> I guess I'm confused - I'm running version 2.8.1, which I thought is
> the same version that has been out there since release... The download page
> says it dates from 21-Nov-2008. Are you referring to a different version,
> version 3?
>
> Eric R. Carlson
>
> Eric.Carlson@kroger.com
> (513)-387-7739
>
>
> -----Original Message-----
> From: Andrew Jaquith [mailto:andrew.r.jaquith@gmail.com]
> Sent: Friday, April 10, 2009 12:49 PM
> To: jspwiki-user@incubator.apache.org
> Subject: Re: Allow tag does not restrict access
>
> Eric -- you've provided me with enough information to try to verify
> your issue. I'll try to do that over the next few days.
>
> In the meantime, could you try the latest nightly build, and see if it
> produces different results?
>
> Regards, Andrew
>
> On Fri, Apr 10, 2009 at 10:35 AM, Carlson, Eric R
> <er...@kroger.com> wrote:
> > I've been having the exact same problem, and haven't been making any
> headway on it, so I've gone over the FAQ to see if I can find the cause.
> >
> > First, I'm running JSPWiki 2.8.1.
> >
> > I have two user-ids I can access. One is defined as an administrator,
> the second one isn't. I was able to verify this by logging on to both of
> them, going into 'My Prefs', and clicking on the 'Profile' tab. UserA shows
> : Roles - All, Authenticated; Groups - None. UserB shows : Roles - All,
> Authenticated; Groups - Admin.
> >
> > I am not currently able to run the SecurityConfig.jsp application (see my
> other message), so I can't include the output here.
> >
> > I have enabled the security log, and set the logging level to DEBUG.
> While I see messages in the log each time I log in, I don't see any sort of
> messages in the security when I access a new page. I'm not sure if I should
> expect to see such messages, but the FAQ says to check the security log, and
> I don't see anything there, other than logon messages.
> >
> > I've also cleared all cookies and temporary internet files, and still get
> the same problem.
> >
> > Here's what I have configured in jspwiki.policy :
> >
> > --------------------------------
> >
> > grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
> > permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
> "view";
> > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile"
> > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> > };
> >
> > grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> > };
> >
> > grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> > };
> >
> > grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
> > permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
> "modify,rename";
> > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
> "view";
> > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> > };
> >
> > grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
> > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> > };
> >
> > grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
> > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> > };
> >
> > -------------------------------
> >
> > Eric R. Carlson
> >
> Eric.Carlson@kroger.com
> >
> > -----Original Message-----
> > From: Harry Metske [mailto:harry.metske@gmail.com]
> > Sent: Friday, April 10, 2009 4:23 AM
> > To: jspwiki-user@incubator.apache.org; bhanu0608@yahoo.com
> > Subject: Re: Allow tag does not restrict access
> >
> > Since we get quite a few of these questions, I started a FAQ on
> > Authorization:
> >
> > http://www.jspwiki.org/wiki/FAQAuthorization
> >
> > feel free to add content........
> >
> > Harry
> >
> > 2009/4/9 Bhavani <bh...@yahoo.com>
> >
> >> HI,
> >>
> >> We recently started implementing jspwiki. JAAS security is enabled and
> >> everything works fine. But I am not able to control access to page edits
> >> using the allow tag. Also everyone is able to edit the admin group. Even
> >> people who are not members of the group can edit the group. So please
> help
> >> me with the following questions.
> >>
> >> 1. What am I missing that the allow tag is not working as it should be ?
> >> 2. Is there a way to control non-members from editing the groups?
> >>
> >> -Bhavani
> >>
> >>
> >>
> >>
> >>
> >
> > This e-mail message, including any attachments, is for the sole use of
> the intended recipient(s) and may contain information that is confidential
> and protected by law from unauthorized disclosure. Any unauthorized review,
> use, disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
> >
>
RE: Allow tag does not restrict access
Posted by "Carlson, Eric R" <er...@kroger.com>.
Andrew,
I guess I'm confused - I'm running version 2.8.1, which I thought is the same version that has been out there since release... The download page says it dates from 21-Nov-2008. Are you referring to a different version, version 3?
Eric R. Carlson
Eric.Carlson@kroger.com
(513)-387-7739
-----Original Message-----
From: Andrew Jaquith [mailto:andrew.r.jaquith@gmail.com]
Sent: Friday, April 10, 2009 12:49 PM
To: jspwiki-user@incubator.apache.org
Subject: Re: Allow tag does not restrict access
Eric -- you've provided me with enough information to try to verify
your issue. I'll try to do that over the next few days.
In the meantime, could you try the latest nightly build, and see if it
produces different results?
Regards, Andrew
On Fri, Apr 10, 2009 at 10:35 AM, Carlson, Eric R
<er...@kroger.com> wrote:
> I've been having the exact same problem, and haven't been making any headway on it, so I've gone over the FAQ to see if I can find the cause.
>
> First, I'm running JSPWiki 2.8.1.
>
> I have two user-ids I can access. One is defined as an administrator, the second one isn't. I was able to verify this by logging on to both of them, going into 'My Prefs', and clicking on the 'Profile' tab. UserA shows : Roles - All, Authenticated; Groups - None. UserB shows : Roles - All, Authenticated; Groups - Admin.
>
> I am not currently able to run the SecurityConfig.jsp application (see my other message), so I can't include the output here.
>
> I have enabled the security log, and set the logging level to DEBUG. While I see messages in the log each time I log in, I don't see any sort of messages in the security when I access a new page. I'm not sure if I should expect to see such messages, but the FAQ says to check the security log, and I don't see anything there, other than logon messages.
>
> I've also cleared all cookies and temporary internet files, and still get the same problem.
>
> Here's what I have configured in jspwiki.policy :
>
> --------------------------------
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
> };
>
> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> -------------------------------
>
> Eric R. Carlson
> Eric.Carlson@kroger.com
>
> -----Original Message-----
> From: Harry Metske [mailto:harry.metske@gmail.com]
> Sent: Friday, April 10, 2009 4:23 AM
> To: jspwiki-user@incubator.apache.org; bhanu0608@yahoo.com
> Subject: Re: Allow tag does not restrict access
>
> Since we get quite a few of these questions, I started a FAQ on
> Authorization:
>
> http://www.jspwiki.org/wiki/FAQAuthorization
>
> feel free to add content........
>
> Harry
>
> 2009/4/9 Bhavani <bh...@yahoo.com>
>
>> HI,
>>
>> We recently started implementing jspwiki. JAAS security is enabled and
>> everything works fine. But I am not able to control access to page edits
>> using the allow tag. Also everyone is able to edit the admin group. Even
>> people who are not members of the group can edit the group. So please help
>> me with the following questions.
>>
>> 1. What am I missing that the allow tag is not working as it should be ?
>> 2. Is there a way to control non-members from editing the groups?
>>
>> -Bhavani
>>
>>
>>
>>
>>
>
> This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
>
Re: Allow tag does not restrict access
Posted by Andrew Jaquith <an...@gmail.com>.
Eric -- you've provided me with enough information to try to verify
your issue. I'll try to do that over the next few days.
In the meantime, could you try the latest nightly build, and see if it
produces different results?
Regards, Andrew
On Fri, Apr 10, 2009 at 10:35 AM, Carlson, Eric R
<er...@kroger.com> wrote:
> I've been having the exact same problem, and haven't been making any headway on it, so I've gone over the FAQ to see if I can find the cause.
>
> First, I'm running JSPWiki 2.8.1.
>
> I have two user-ids I can access. One is defined as an administrator, the second one isn't. I was able to verify this by logging on to both of them, going into 'My Prefs', and clicking on the 'Profile' tab. UserA shows : Roles - All, Authenticated; Groups - None. UserB shows : Roles - All, Authenticated; Groups - Admin.
>
> I am not currently able to run the SecurityConfig.jsp application (see my other message), so I can't include the output here.
>
> I have enabled the security log, and set the logging level to DEBUG. While I see messages in the log each time I log in, I don't see any sort of messages in the security when I access a new page. I'm not sure if I should expect to see such messages, but the FAQ says to check the security log, and I don't see anything there, other than logon messages.
>
> I've also cleared all cookies and temporary internet files, and still get the same problem.
>
> Here's what I have configured in jspwiki.policy :
>
> --------------------------------
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
> };
>
> grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
> };
>
> -------------------------------
>
> Eric R. Carlson
> Eric.Carlson@kroger.com
>
> -----Original Message-----
> From: Harry Metske [mailto:harry.metske@gmail.com]
> Sent: Friday, April 10, 2009 4:23 AM
> To: jspwiki-user@incubator.apache.org; bhanu0608@yahoo.com
> Subject: Re: Allow tag does not restrict access
>
> Since we get quite a few of these questions, I started a FAQ on
> Authorization:
>
> http://www.jspwiki.org/wiki/FAQAuthorization
>
> feel free to add content........
>
> Harry
>
> 2009/4/9 Bhavani <bh...@yahoo.com>
>
>> HI,
>>
>> We recently started implementing jspwiki. JAAS security is enabled and
>> everything works fine. But I am not able to control access to page edits
>> using the allow tag. Also everyone is able to edit the admin group. Even
>> people who are not members of the group can edit the group. So please help
>> me with the following questions.
>>
>> 1. What am I missing that the allow tag is not working as it should be ?
>> 2. Is there a way to control non-members from editing the groups?
>>
>> -Bhavani
>>
>>
>>
>>
>>
>
> This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
>
RE: Allow tag does not restrict access
Posted by Bhavani <bh...@yahoo.com>.
Hi,
I did some more research into this issue. I added the two properties to the jspwiki.properties to enable debug logs for authorization.
So when jspwiki starts I see the following logs which show the ACL's I have on two pages: Main and Administration:
2009-04-13 15:22:01,802 [server.startup : 0] DEBUG com.ecyrd.jspwiki.auth.acl.DefaultAclManager - user = Bhavani: (("com.ecyrd.jspwiki.auth.permissions.PagePermission","JSPWiki:Main","edit"))
2009-04-13 15:22:01,831 [server.startup : 0] DEBUG com.ecyrd.jspwiki.auth.acl.DefaultAclManager - Adding new acl entry for edit
2009-04-13 15:22:01,831 [server.startup : 0] DEBUG com.ecyrd.jspwiki.auth.acl.DefaultAclManager - user = Administrator: (("com.ecyrd.jspwiki.auth.permissions.PagePermission","JSPWiki:Admin","edit"))
And whenever a user logs in I see the following stmt in the log:
2009-04-13 15:30:29,234 [WebContainer : 1] DEBUG com.ecyrd.jspwiki.auth.acl.DefaultAclManager - Adding to old acl list: [WikiPrincipal (fullName): Bhavani], edit
2009-04-13 15:30:29,234 [WebContainer : 1] DEBUG com.ecyrd.jspwiki.auth.acl.DefaultAclManager - user = Bhavani: (("com.ecyrd.jspwiki.auth.permissions.PagePermission","JSPWiki:Main","edit"))
When this user tries to edit the 'Main' page which the user does not have access to, the user first of all is able to edit the page and then I see this in the log:
2009-04-13 15:32:26,710 [WebContainer : 3] DEBUG com.ecyrd.jspwiki.auth.acl.DefaultAclManager JSPWiki:/wiki/wiki/Main JSPWiki:http://w3dev.hitachigst.com/wiki/wiki/Main - Adding to old acl list: [WikiPrincipal (fullName): Bhavani], edit
2009-04-13 15:32:26,711 [WebContainer : 3] DEBUG com.ecyrd.jspwiki.auth.acl.DefaultAclManager JSPWiki:/wiki/wiki/Main JSPWiki:http://w3dev.hitachigst.com/wiki/wiki/Main - user = Bhavani: (("com.ecyrd.jspwiki.auth.permissions.PagePermission","JSPWiki:Main","edit"))
-Bhavani
RE: Allow tag does not restrict access
Posted by "Carlson, Eric R" <er...@kroger.com>.
I've been having the exact same problem, and haven't been making any headway on it, so I've gone over the FAQ to see if I can find the cause.
First, I'm running JSPWiki 2.8.1.
I have two user-ids I can access. One is defined as an administrator, the second one isn't. I was able to verify this by logging on to both of them, going into 'My Prefs', and clicking on the 'Profile' tab. UserA shows : Roles - All, Authenticated; Groups - None. UserB shows : Roles - All, Authenticated; Groups - Admin.
I am not currently able to run the SecurityConfig.jsp application (see my other message), so I can't include the output here.
I have enabled the security log, and set the logging level to DEBUG. While I see messages in the log each time I log in, I don't see any sort of messages in the security when I access a new page. I'm not sure if I should expect to see such messages, but the FAQ says to check the security log, and I don't see anything there, other than logon messages.
I've also cleared all cookies and temporary internet files, and still get the same problem.
Here's what I have configured in jspwiki.policy :
--------------------------------
grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
};
grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
-------------------------------
Eric R. Carlson
Eric.Carlson@kroger.com
-----Original Message-----
From: Harry Metske [mailto:harry.metske@gmail.com]
Sent: Friday, April 10, 2009 4:23 AM
To: jspwiki-user@incubator.apache.org; bhanu0608@yahoo.com
Subject: Re: Allow tag does not restrict access
Since we get quite a few of these questions, I started a FAQ on
Authorization:
http://www.jspwiki.org/wiki/FAQAuthorization
feel free to add content........
Harry
2009/4/9 Bhavani <bh...@yahoo.com>
> HI,
>
> We recently started implementing jspwiki. JAAS security is enabled and
> everything works fine. But I am not able to control access to page edits
> using the allow tag. Also everyone is able to edit the admin group. Even
> people who are not members of the group can edit the group. So please help
> me with the following questions.
>
> 1. What am I missing that the allow tag is not working as it should be ?
> 2. Is there a way to control non-members from editing the groups?
>
> -Bhavani
>
>
>
>
>
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Allow tag does not restrict access
Posted by Harry Metske <ha...@gmail.com>.
Since we get quite a few of these questions, I started a FAQ on
Authorization:
http://www.jspwiki.org/wiki/FAQAuthorization
feel free to add content........
Harry
2009/4/9 Bhavani <bh...@yahoo.com>
> HI,
>
> We recently started implementing jspwiki. JAAS security is enabled and
> everything works fine. But I am not able to control access to page edits
> using the allow tag. Also everyone is able to edit the admin group. Even
> people who are not members of the group can edit the group. So please help
> me with the following questions.
>
> 1. What am I missing that the allow tag is not working as it should be ?
> 2. Is there a way to control non-members from editing the groups?
>
> -Bhavani
>
>
>
>
>