You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2014/06/05 21:26:32 UTC
svn commit: r1600734 - in /jspwiki/trunk/jspwiki-war/src/main:
java/org/apache/wiki/auth/ java/org/apache/wiki/ui/ webapp/
Author: juanpablo
Date: Thu Jun 5 19:26:31 2014
New Revision: 1600734
URL: http://svn.apache.org/r1600734
Log:
Applied patch on JSPWIKI-841 (Container Managed Security Not Working), which solves part of the issue, on unsuccesful login there is no error message with container managed authentication
Modified:
jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java
jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java
jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java
jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java
jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java
jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp
Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java (original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthenticationManager.java Thu Jun 5 19:26:31 2014
@@ -100,14 +100,21 @@ public class AuthenticationManager {
* <p>
* Setting this is now deprecated - we do not guarantee that it works.
*
- * @deprecated
+ * @deprecated - to be removed on 2.11.0
*/
+ @Deprecated
public static final String PROP_SECURITY = "jspwiki.security";
- /** Value specifying that the user wants to use the container-managed security, just like in JSPWiki 2.2. */
+ /** Value specifying that the user wants to use the container-managed security, just like in JSPWiki 2.2.
+ * @deprecated - to be removed on 2.11.0
+ */
+ @Deprecated
public static final String SECURITY_OFF = "off";
- /** Value specifying that the user wants to use the built-in JAAS-based system */
+ /** Value specifying that the user wants to use the built-in JAAS-based system.
+ * @deprecated - to be removed on 2.11.0
+ */
+ @Deprecated
public static final String SECURITY_JAAS = "jaas";
/** Whether logins should be throttled to limit brute-forcing attempts. Defaults to true. */
@@ -137,8 +144,9 @@ public class AuthenticationManager {
/** Just to provide compatibility with the old versions. The same
* as SECURITY_OFF.
*
- * @deprecated use {@link #SECURITY_OFF} instead
+ * @deprecated use {@link #SECURITY_OFF} instead - to be removed on 2.11.0
*/
+ @Deprecated
protected static final String SECURITY_CONTAINER = "container";
/** The default {@link javax.security.auth.spi.LoginModule} class name to use for custom authentication. */
@@ -160,10 +168,7 @@ public class AuthenticationManager {
/** If true, logs the IP address of the editor */
private boolean m_storeIPAddress = true;
- private boolean m_useJAAS = true;
-
/** Keeps a list of the usernames who have attempted a login recently. */
-
private TimedCounterList<String> m_lastLoginAttempts = new TimedCounterList<String>();
/**
@@ -180,9 +185,6 @@ public class AuthenticationManager {
m_engine = engine;
m_storeIPAddress = TextUtil.getBooleanProperty( props, PROP_STOREIPADDRESS, m_storeIPAddress );
- // Should J2SE policies be used for authorization?
- m_useJAAS = SECURITY_JAAS.equals(props.getProperty( PROP_SECURITY, SECURITY_JAAS ));
-
// Should we allow cookies for assertions? (default: yes)
m_allowsCookieAssertions = TextUtil.getBooleanProperty( props,
PROP_ALLOW_COOKIE_ASSERTIONS,
@@ -225,8 +227,6 @@ public class AuthenticationManager {
*/
public boolean isContainerAuthenticated()
{
- if( !m_useJAAS ) return true;
-
try
{
Authorizer authorizer = m_engine.getAuthorizationManager().getAuthorizer();
Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java (original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/AuthorizationManager.java Thu Jun 5 19:26:31 2014
@@ -124,8 +124,6 @@ public class AuthorizationManager {
private LocalPolicy m_localPolicy = null;
- private boolean m_useJAAS = true;
-
/**
* Constructs a new AuthorizationManager instance.
*/
@@ -178,18 +176,6 @@ public class AuthorizationManager {
*/
public boolean checkPermission( WikiSession session, Permission permission )
{
- if( !m_useJAAS )
- {
- //
- // Nobody can login, if JAAS is turned off.
- //
-
- if( permission == null || "login".equals( permission.getActions() ) )
- return false;
-
- return true;
- }
-
//
// A slight sanity check.
//
@@ -473,15 +459,10 @@ public class AuthorizationManager {
* @param properties the set of properties used to initialize the wiki engine
* @throws WikiException if the AuthorizationManager cannot be initialized
*/
- @SuppressWarnings("deprecation")
public void initialize( WikiEngine engine, Properties properties ) throws WikiException
{
m_engine = engine;
- m_useJAAS = AuthenticationManager.SECURITY_JAAS.equals( properties.getProperty(AuthenticationManager.PROP_SECURITY, AuthenticationManager.SECURITY_JAAS ) );
-
- if( !m_useJAAS ) return;
-
//
// JAAS authorization continues
//
@@ -525,10 +506,12 @@ public class AuthorizationManager {
* Returns <code>true</code> if JSPWiki's JAAS authorization system
* is used for authorization in addition to container controls.
* @return the result
+ * @deprecated functionality deprecated - returns true always. To be removed on 2.11.0
*/
+ @Deprecated
protected boolean isJAASAuthorized()
{
- return m_useJAAS;
+ return true;
}
/**
@@ -628,8 +611,6 @@ public class AuthorizationManager {
*/
protected boolean checkStaticPermission( final WikiSession session, final Permission permission )
{
- if( !m_useJAAS ) return true;
-
Boolean allowed = (Boolean) WikiSession.doPrivileged( session, new PrivilegedAction<Boolean>()
{
public Boolean run()
@@ -681,11 +662,6 @@ public class AuthorizationManager {
*/
public Principal resolvePrincipal( String name )
{
- if( !m_useJAAS )
- {
- return new UnresolvedPrincipal(name);
- }
-
// Check built-in Roles first
Role role = new Role(name);
if ( Role.isBuiltInRole( role ) )
Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java (original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/SecurityVerifier.java Thu Jun 5 19:26:31 2014
@@ -22,7 +22,13 @@ import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
-import java.security.*;
+import java.security.AccessControlException;
+import java.security.AccessController;
+import java.security.KeyStore;
+import java.security.Permission;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
@@ -36,7 +42,11 @@ import org.apache.wiki.InternalWikiExcep
import org.apache.wiki.WikiEngine;
import org.apache.wiki.WikiSession;
import org.apache.wiki.api.exceptions.WikiException;
-import org.apache.wiki.auth.authorize.*;
+import org.apache.wiki.auth.authorize.Group;
+import org.apache.wiki.auth.authorize.GroupDatabase;
+import org.apache.wiki.auth.authorize.GroupManager;
+import org.apache.wiki.auth.authorize.Role;
+import org.apache.wiki.auth.authorize.WebContainerAuthorizer;
import org.apache.wiki.auth.permissions.AllPermission;
import org.apache.wiki.auth.permissions.GroupPermission;
import org.apache.wiki.auth.permissions.PermissionFactory;
@@ -588,19 +598,6 @@ public final class SecurityVerifier
*/
protected void verifyJaas()
{
- // See if JAAS is on
- AuthorizationManager authMgr = m_engine.getAuthorizationManager();
- if ( !authMgr.isJAASAuthorized() )
- {
- m_session.addMessage( ERROR_JAAS, "JSPWiki's JAAS-based authentication " +
- "and authorization system is turned off (your jspwiki.properties file " +
- "contains the setting 'jspwiki.security = container'. This " +
- "setting disables authorization checks and is meant for testing " +
- "and troubleshooting only. The test results on this page will not " +
- "be reliable as a result. You should set this to 'jaas' " +
- "so that security works properly." );
- }
-
// Verify that the specified JAAS moduie corresponds to a class we can load successfully.
String jaasClass = m_engine.getWikiProperties().getProperty( AuthenticationManager.PROP_LOGIN_MODULE );
if ( jaasClass == null || jaasClass.length() == 0 )
@@ -612,7 +609,7 @@ public final class SecurityVerifier
}
// See if we can find the LoginModule on the classpath
- Class c = null;
+ Class< ? > c = null;
try
{
m_session.addMessage( INFO_JAAS, "The property '" + AuthenticationManager.PROP_LOGIN_MODULE +
Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java (original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/auth/UserManager.java Thu Jun 5 19:26:31 2014
@@ -104,8 +104,6 @@ public class UserManager {
/** The user database loads, manages and persists user identities */
private UserDatabase m_database;
- private boolean m_useJAAS = true;
-
/**
* Constructs a new UserManager instance.
*/
@@ -118,13 +116,10 @@ public class UserManager {
* @param engine the current wiki engine
* @param props the wiki engine initialization properties
*/
- @SuppressWarnings("deprecation")
public void initialize( WikiEngine engine, Properties props )
{
m_engine = engine;
- m_useJAAS = AuthenticationManager.SECURITY_JAAS.equals( props.getProperty(AuthenticationManager.PROP_SECURITY, AuthenticationManager.SECURITY_JAAS ) );
-
// Attach the PageManager as a listener
// TODO: it would be better if we did this in PageManager directly
addWikiEventListener( engine.getPageManager() );
@@ -148,12 +143,6 @@ public class UserManager {
return m_database;
}
- if( !m_useJAAS )
- {
- m_database = new DummyUserDatabase();
- return m_database;
- }
-
String dbClassName = UNKNOWN_CLASS;
try
Modified: jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java (original)
+++ jspwiki/trunk/jspwiki-war/src/main/java/org/apache/wiki/ui/Installer.java Thu Jun 5 19:26:31 2014
@@ -28,13 +28,15 @@ import java.util.ResourceBundle;
import java.util.Set;
import javax.servlet.ServletConfig;
-import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import org.apache.wiki.PageManager;
import org.apache.wiki.WikiEngine;
import org.apache.wiki.WikiSession;
-import org.apache.wiki.auth.*;
+import org.apache.wiki.auth.NoSuchPrincipalException;
+import org.apache.wiki.auth.UserManager;
+import org.apache.wiki.auth.WikiPrincipal;
+import org.apache.wiki.auth.WikiSecurityException;
import org.apache.wiki.auth.authorize.Group;
import org.apache.wiki.auth.authorize.GroupManager;
import org.apache.wiki.auth.user.UserDatabase;
@@ -78,8 +80,7 @@ public class Installer
m_engine = WikiEngine.getInstance( config );
m_session = WikiSession.getWikiSession( m_engine, request );
- // Get the servlet context, and file for properties
- ServletContext context = config.getServletContext();
+ // Get the file for properties
m_propertyFile = new File(TMP_DIR, PROPFILENAME);
m_props = new Properties();
@@ -194,7 +195,6 @@ public class Installer
return m_props.getProperty( key );
}
- @SuppressWarnings("deprecation")
public void parseProperties () throws Exception
{
ResourceBundle rb = ResourceBundle.getBundle( InternationalizationManager.CORE_BUNDLE,
@@ -227,10 +227,6 @@ public class Installer
parseProperty( WORK_DIR, nullValue );
sanitizePath( WORK_DIR );
- // Get/sanitize security property
- nullValue = m_props.getProperty( AuthenticationManager.PROP_SECURITY, AuthenticationManager.SECURITY_JAAS );
- parseProperty( AuthenticationManager.PROP_SECURITY, nullValue );
-
// Set a few more default properties, for easy setup
m_props.setProperty( STORAGE_DIR, m_props.getProperty( PAGE_DIR ) );
m_props.setProperty( PageManager.PROP_PAGEPROVIDER, "VersioningFileProvider" );
Modified: jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp
URL: http://svn.apache.org/viewvc/jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp?rev=1600734&r1=1600733&r2=1600734&view=diff
==============================================================================
--- jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp (original)
+++ jspwiki/trunk/jspwiki-war/src/main/webapp/Install.jsp Thu Jun 5 19:26:31 2014
@@ -135,15 +135,6 @@ if ( !installer.adminExists() )
<h3><fmt:message key="install.jsp.security.title" /></h3>
<div class="block">
- <label><fmt:message key="install.jsp.security.sec.conf.label" /></label><br/>
- <input type="radio" name="<%=AuthenticationManager.PROP_SECURITY%>" value="<%=AuthenticationManager.SECURITY_JAAS%>" checked="checked"/>
- <fmt:message key="install.jsp.security.sec.conf.opt1" /><br/>
- <input type="radio" name="<%=AuthenticationManager.PROP_SECURITY%>" value="<%=AuthenticationManager.SECURITY_OFF%>"/>
- <fmt:message key="install.jsp.security.sec.conf.opt2" />
- <div class="description">
- <fmt:message key="install.jsp.security.sec.conf.desc" />
- </div>
-
<%
if( validated )
{