You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by Gary Kephart <ga...@pobox.com> on 2020/12/05 17:20:07 UTC
attachment security policy
I have a site that I've set up as read-only except for users who are in
a particular group. For the most part, that works well. What doesn't
seem to work is showing the site logo to users who are not logged in.
When I try to directly access
http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get the
Forbidden page, where it mentions "It is also possible that JSPWiki
cannot find its security policy, or that the policy is not configured
correctly. Either of these cases would cause JSPWiki to block access, too."
Is attachment policy different than page policy? Do you have to be able
to modify a page in order to view an attachment? What do I need to do to
fix this? I've read
https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
don't see anything there that addresses this specifically.
Thanks,
Gary
Re: attachment security policy
Posted by Gary Kephart <ga...@pobox.com>.
I only have this on that page:
[{ALLOW edit Admin}]
so I was missing the "view" part.
I thought it was a problem with my jspwiki.policy, but adding the "view"
part seems to have solved it.
Thanks!
Gary
On 12/24/2020 2:30 AM, Dirk Frederickx wrote:
> Hi Gary,
>
> Seems like the LeftMenu is not accessible (read/write) in case the user is
> not authenticated.
> Maybe it has an ACL which is too restrictive? [{ALLOW ....}]
>
> It should be something like this:
>
> [{ALLOW edit Admin}]
> [{ALLOW view All}]
>
>
> Br,
> dirk
>
>
>
> On Thu, Dec 24, 2020 at 9:20 AM Gary Kephart <ga...@pobox.com> wrote:
>
>> I'll give you the pertinent URLs:
>>
>> The site: http://ocpolitizone.org/
>> The logo: http://ocpolitizone.org/attach/LeftMenu/ocpolitizone.png
>>
>> Besides the jspwiki.policy file, is there any other configuration file,
>> like jspwiki-custom.properties, that might make a difference?
>>
>> Thanks,
>> Gary
>>
>> On 12/8/2020 9:31 AM, Juan Pablo Santos Rodríguez wrote:
>>> Hi Gary,
>>>
>>> that's weird, before writting previous e-mail I double checked the
>>> suggested approach using the following unit test
>>>
>>> @Test
>>> public void testAttachmentAcl() throws Exception {
>>> m_engine.saveText( "TestDefaultPage", "Foo" );
>>> final Attachment att = Wiki.contents().attachment( m_engine,
>>> "TestDefaultPage", "TestAtt.txt" );
>>> att.setAuthor( "FirstPost" );
>>> m_engine.getManager( AttachmentManager.class ).storeAttachment(
>>> att, m_engine.makeAttachmentFile() );
>>>
>>> final Permission view = PermissionFactory.getPagePermission(
>>> "*:TestDefaultPage/TestAtt.txt", "view" );
>>> final Permission edit = PermissionFactory.getPagePermission(
>>> "*:TestDefaultPage/TestAtt.txt", "edit" );
>>>
>>> final Session session = WikiSessionTest.anonymousSession( m_engine
>> );
>>> Assertions.assertTrue( m_auth.checkPermission( session, view ),
>>> "anonymous view" );
>>> Assertions.assertTrue( m_auth.checkPermission( session, edit ),
>>> "anonymous edit" );
>>> }
>>>
>>> and it passes for each of the following permissions on the policy file
>>>
>>> grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
>>> //permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>> "edit";
>>> //permission org.apache.wiki.auth.permissions.PagePermission
>>> "*:TestDefaultPage", "edit";
>>> permission org.apache.wiki.auth.permissions.PagePermission
>>> "*:TestDefaultPage/TestAtt.txt", "edit";
>>> };
>>>
>>> (same for view permissions on the policy file except for the test's last
>>> assertion) Said that, I misunderstood your original e-mail, I was
>> thinking
>>> that anonymous
>>> users weren't allowed to see (not edit) the wiki. Your policy file should
>>> be enough to allow http://mysite.org/attach/LeftMenu/mylogo.png for
>>> anonymous
>>> users. Does the log show something unsual while accessing/requesting that
>>> file? Would you mind setting the log level to debug to see if anything
>> else
>>> pops up?
>>>
>>> I'm preparing the release for 2.11.0-M8 in a while, but will have a
>> closer
>>> look at this after that.
>>>
>>>
>>> best regards,
>>> juan pablo
>>>
>>>
>>> On Tue, Dec 8, 2020 at 1:23 AM Gary Kephart <ga...@pobox.com>
>> wrote:
>>>> Juan Pablo,
>>>>
>>>> Thanks for responding. I tried your suggestion but it's still not
>>>> working. Below is my complete jspwiki.policy.
>>>>
>>>> Thanks,
>>>> Gary
>>>>
>>>> grant principal org.apache.wiki.auth.authorize.Role "All" {
>>>> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>>>> "view";
>>>> permission org.apache.wiki.auth.permissions.PagePermission
>>>> "*:LeftMenu/mylogo.png", "view";
>>>> permission org.apache.wiki.auth.permissions.WikiPermission "*",
>>>> "editPreferences";
>>>> permission org.apache.wiki.auth.permissions.WikiPermission "*",
>>>> "editProfile";
>>>> permission org.apache.wiki.auth.permissions.WikiPermission "*",
>>>> "login";
>>>> };
>>>>
>>>>
>>>> // read-only for Anonymous users
>>>> grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
>>>> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>>>> "view";
>>>> };
>>>>
>>>>
>>>> // read-only for Asserted users
>>>> grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
>>>> } permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>>>> "view";
>>>> ;
>>>>
>>>>
>>>> // read-only for Authenticated users
>>>> grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
>>>> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>>>> "view";
>>>> };
>>>>
>>>>
>>>> // Members of the group "RegisteredUsers" can create, edit and rename
>>>> pages.
>>>> // They can also view all the groups.
>>>> grant principal org.apache.wiki.auth.GroupPrincipal "RegisteredUsers" {
>>>> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>>>> "modify,rename";
>>>> permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
>>>> "view";
>>>> permission org.apache.wiki.auth.permissions.GroupPermission
>>>> "*:<groupmember>", "edit";
>>>> permission org.apache.wiki.auth.permissions.WikiPermission "*",
>>>> "createPages,createGroups";
>>>> };
>>>>
>>>>
>>>> grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
>>>> permission org.apache.wiki.auth.permissions.AllPermission "*";
>>>> };
>>>> grant principal org.apache.wiki.auth.authorize.Role "Admin" {
>>>> permission org.apache.wiki.auth.permissions.AllPermission "*";
>>>> };
>>>>
>>>>
>>>> On 12/7/2020 6:00 AM, Juan Pablo Santos Rodríguez wrote:
>>>>> Hi Gary,
>>>>>
>>>>> inside JSPWiki, Attachments are considered a special type of Pages, so
>>>> the
>>>>> same policy rules & syntax should apply. In this case, the following
>>>>> permission inside the anonymous role block should be enough:
>>>>>
>>>>> permission org.apache.wiki.auth.permissions.PagePermission
>>>>> "*:LeftMenu/mylogo.png", "view";
>>>>>
>>>>> Also, LeftMenu usually is a page that should be shown to all users, so
>>>> the
>>>>> following permission, also inside the anonymous role block, should also
>>>> do
>>>>> the trick and allow anonymous view on both Page and Attachment:
>>>>>
>>>>> permission org.apache.wiki.auth.permissions.PagePermission
>> "*:LeftMenu",
>>>>> "view";
>>>>>
>>>>>
>>>>> HTH,
>>>>> juan pablo
>>>>>
>>>>> On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <ga...@pobox.com>
>>>> wrote:
>>>>>> I have a site that I've set up as read-only except for users who are
>> in
>>>>>> a particular group. For the most part, that works well. What doesn't
>>>>>> seem to work is showing the site logo to users who are not logged in.
>>>>>> When I try to directly access
>>>>>> http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get
>> the
>>>>>> Forbidden page, where it mentions "It is also possible that JSPWiki
>>>>>> cannot find its security policy, or that the policy is not configured
>>>>>> correctly. Either of these cases would cause JSPWiki to block access,
>>>> too."
>>>>>> Is attachment policy different than page policy? Do you have to be
>> able
>>>>>> to modify a page in order to view an attachment? What do I need to do
>> to
>>>>>> fix this? I've read
>>>>>> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
>>>>>> don't see anything there that addresses this specifically.
>>>>>>
>>>>>> Thanks,
>>>>>> Gary
>>>>>>
>>
Re: attachment security policy
Posted by Dirk Frederickx <di...@gmail.com>.
Hi Gary,
Seems like the LeftMenu is not accessible (read/write) in case the user is
not authenticated.
Maybe it has an ACL which is too restrictive? [{ALLOW ....}]
It should be something like this:
[{ALLOW edit Admin}]
[{ALLOW view All}]
Br,
dirk
On Thu, Dec 24, 2020 at 9:20 AM Gary Kephart <ga...@pobox.com> wrote:
> I'll give you the pertinent URLs:
>
> The site: http://ocpolitizone.org/
> The logo: http://ocpolitizone.org/attach/LeftMenu/ocpolitizone.png
>
> Besides the jspwiki.policy file, is there any other configuration file,
> like jspwiki-custom.properties, that might make a difference?
>
> Thanks,
> Gary
>
> On 12/8/2020 9:31 AM, Juan Pablo Santos Rodríguez wrote:
> > Hi Gary,
> >
> > that's weird, before writting previous e-mail I double checked the
> > suggested approach using the following unit test
> >
> > @Test
> > public void testAttachmentAcl() throws Exception {
> > m_engine.saveText( "TestDefaultPage", "Foo" );
> > final Attachment att = Wiki.contents().attachment( m_engine,
> > "TestDefaultPage", "TestAtt.txt" );
> > att.setAuthor( "FirstPost" );
> > m_engine.getManager( AttachmentManager.class ).storeAttachment(
> > att, m_engine.makeAttachmentFile() );
> >
> > final Permission view = PermissionFactory.getPagePermission(
> > "*:TestDefaultPage/TestAtt.txt", "view" );
> > final Permission edit = PermissionFactory.getPagePermission(
> > "*:TestDefaultPage/TestAtt.txt", "edit" );
> >
> > final Session session = WikiSessionTest.anonymousSession( m_engine
> );
> > Assertions.assertTrue( m_auth.checkPermission( session, view ),
> > "anonymous view" );
> > Assertions.assertTrue( m_auth.checkPermission( session, edit ),
> > "anonymous edit" );
> > }
> >
> > and it passes for each of the following permissions on the policy file
> >
> > grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
> > //permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "edit";
> > //permission org.apache.wiki.auth.permissions.PagePermission
> > "*:TestDefaultPage", "edit";
> > permission org.apache.wiki.auth.permissions.PagePermission
> > "*:TestDefaultPage/TestAtt.txt", "edit";
> > };
> >
> > (same for view permissions on the policy file except for the test's last
> > assertion) Said that, I misunderstood your original e-mail, I was
> thinking
> > that anonymous
> > users weren't allowed to see (not edit) the wiki. Your policy file should
> > be enough to allow http://mysite.org/attach/LeftMenu/mylogo.png for
> > anonymous
> > users. Does the log show something unsual while accessing/requesting that
> > file? Would you mind setting the log level to debug to see if anything
> else
> > pops up?
> >
> > I'm preparing the release for 2.11.0-M8 in a while, but will have a
> closer
> > look at this after that.
> >
> >
> > best regards,
> > juan pablo
> >
> >
> > On Tue, Dec 8, 2020 at 1:23 AM Gary Kephart <ga...@pobox.com>
> wrote:
> >
> >> Juan Pablo,
> >>
> >> Thanks for responding. I tried your suggestion but it's still not
> >> working. Below is my complete jspwiki.policy.
> >>
> >> Thanks,
> >> Gary
> >>
> >> grant principal org.apache.wiki.auth.authorize.Role "All" {
> >> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "view";
> >> permission org.apache.wiki.auth.permissions.PagePermission
> >> "*:LeftMenu/mylogo.png", "view";
> >> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> >> "editPreferences";
> >> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> >> "editProfile";
> >> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> >> "login";
> >> };
> >>
> >>
> >> // read-only for Anonymous users
> >> grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
> >> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "view";
> >> };
> >>
> >>
> >> // read-only for Asserted users
> >> grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
> >> } permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "view";
> >> ;
> >>
> >>
> >> // read-only for Authenticated users
> >> grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
> >> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "view";
> >> };
> >>
> >>
> >> // Members of the group "RegisteredUsers" can create, edit and rename
> >> pages.
> >> // They can also view all the groups.
> >> grant principal org.apache.wiki.auth.GroupPrincipal "RegisteredUsers" {
> >> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "modify,rename";
> >> permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
> >> "view";
> >> permission org.apache.wiki.auth.permissions.GroupPermission
> >> "*:<groupmember>", "edit";
> >> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> >> "createPages,createGroups";
> >> };
> >>
> >>
> >> grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
> >> permission org.apache.wiki.auth.permissions.AllPermission "*";
> >> };
> >> grant principal org.apache.wiki.auth.authorize.Role "Admin" {
> >> permission org.apache.wiki.auth.permissions.AllPermission "*";
> >> };
> >>
> >>
> >> On 12/7/2020 6:00 AM, Juan Pablo Santos Rodríguez wrote:
> >>> Hi Gary,
> >>>
> >>> inside JSPWiki, Attachments are considered a special type of Pages, so
> >> the
> >>> same policy rules & syntax should apply. In this case, the following
> >>> permission inside the anonymous role block should be enough:
> >>>
> >>> permission org.apache.wiki.auth.permissions.PagePermission
> >>> "*:LeftMenu/mylogo.png", "view";
> >>>
> >>> Also, LeftMenu usually is a page that should be shown to all users, so
> >> the
> >>> following permission, also inside the anonymous role block, should also
> >> do
> >>> the trick and allow anonymous view on both Page and Attachment:
> >>>
> >>> permission org.apache.wiki.auth.permissions.PagePermission
> "*:LeftMenu",
> >>> "view";
> >>>
> >>>
> >>> HTH,
> >>> juan pablo
> >>>
> >>> On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <ga...@pobox.com>
> >> wrote:
> >>>> I have a site that I've set up as read-only except for users who are
> in
> >>>> a particular group. For the most part, that works well. What doesn't
> >>>> seem to work is showing the site logo to users who are not logged in.
> >>>> When I try to directly access
> >>>> http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get
> the
> >>>> Forbidden page, where it mentions "It is also possible that JSPWiki
> >>>> cannot find its security policy, or that the policy is not configured
> >>>> correctly. Either of these cases would cause JSPWiki to block access,
> >> too."
> >>>> Is attachment policy different than page policy? Do you have to be
> able
> >>>> to modify a page in order to view an attachment? What do I need to do
> to
> >>>> fix this? I've read
> >>>> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
> >>>> don't see anything there that addresses this specifically.
> >>>>
> >>>> Thanks,
> >>>> Gary
> >>>>
> >>
>
>
Re: attachment security policy
Posted by Gary Kephart <ga...@pobox.com>.
I'll give you the pertinent URLs:
The site: http://ocpolitizone.org/
The logo: http://ocpolitizone.org/attach/LeftMenu/ocpolitizone.png
Besides the jspwiki.policy file, is there any other configuration file,
like jspwiki-custom.properties, that might make a difference?
Thanks,
Gary
On 12/8/2020 9:31 AM, Juan Pablo Santos Rodríguez wrote:
> Hi Gary,
>
> that's weird, before writting previous e-mail I double checked the
> suggested approach using the following unit test
>
> @Test
> public void testAttachmentAcl() throws Exception {
> m_engine.saveText( "TestDefaultPage", "Foo" );
> final Attachment att = Wiki.contents().attachment( m_engine,
> "TestDefaultPage", "TestAtt.txt" );
> att.setAuthor( "FirstPost" );
> m_engine.getManager( AttachmentManager.class ).storeAttachment(
> att, m_engine.makeAttachmentFile() );
>
> final Permission view = PermissionFactory.getPagePermission(
> "*:TestDefaultPage/TestAtt.txt", "view" );
> final Permission edit = PermissionFactory.getPagePermission(
> "*:TestDefaultPage/TestAtt.txt", "edit" );
>
> final Session session = WikiSessionTest.anonymousSession( m_engine );
> Assertions.assertTrue( m_auth.checkPermission( session, view ),
> "anonymous view" );
> Assertions.assertTrue( m_auth.checkPermission( session, edit ),
> "anonymous edit" );
> }
>
> and it passes for each of the following permissions on the policy file
>
> grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
> //permission org.apache.wiki.auth.permissions.PagePermission "*:*", "edit";
> //permission org.apache.wiki.auth.permissions.PagePermission
> "*:TestDefaultPage", "edit";
> permission org.apache.wiki.auth.permissions.PagePermission
> "*:TestDefaultPage/TestAtt.txt", "edit";
> };
>
> (same for view permissions on the policy file except for the test's last
> assertion) Said that, I misunderstood your original e-mail, I was thinking
> that anonymous
> users weren't allowed to see (not edit) the wiki. Your policy file should
> be enough to allow http://mysite.org/attach/LeftMenu/mylogo.png for
> anonymous
> users. Does the log show something unsual while accessing/requesting that
> file? Would you mind setting the log level to debug to see if anything else
> pops up?
>
> I'm preparing the release for 2.11.0-M8 in a while, but will have a closer
> look at this after that.
>
>
> best regards,
> juan pablo
>
>
> On Tue, Dec 8, 2020 at 1:23 AM Gary Kephart <ga...@pobox.com> wrote:
>
>> Juan Pablo,
>>
>> Thanks for responding. I tried your suggestion but it's still not
>> working. Below is my complete jspwiki.policy.
>>
>> Thanks,
>> Gary
>>
>> grant principal org.apache.wiki.auth.authorize.Role "All" {
>> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>> "view";
>> permission org.apache.wiki.auth.permissions.PagePermission
>> "*:LeftMenu/mylogo.png", "view";
>> permission org.apache.wiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission org.apache.wiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission org.apache.wiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>>
>> // read-only for Anonymous users
>> grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
>> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>> "view";
>> };
>>
>>
>> // read-only for Asserted users
>> grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
>> } permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>> "view";
>> ;
>>
>>
>> // read-only for Authenticated users
>> grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
>> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>> "view";
>> };
>>
>>
>> // Members of the group "RegisteredUsers" can create, edit and rename
>> pages.
>> // They can also view all the groups.
>> grant principal org.apache.wiki.auth.GroupPrincipal "RegisteredUsers" {
>> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
>> "modify,rename";
>> permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
>> "view";
>> permission org.apache.wiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission org.apache.wiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> };
>>
>>
>> grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
>> permission org.apache.wiki.auth.permissions.AllPermission "*";
>> };
>> grant principal org.apache.wiki.auth.authorize.Role "Admin" {
>> permission org.apache.wiki.auth.permissions.AllPermission "*";
>> };
>>
>>
>> On 12/7/2020 6:00 AM, Juan Pablo Santos Rodríguez wrote:
>>> Hi Gary,
>>>
>>> inside JSPWiki, Attachments are considered a special type of Pages, so
>> the
>>> same policy rules & syntax should apply. In this case, the following
>>> permission inside the anonymous role block should be enough:
>>>
>>> permission org.apache.wiki.auth.permissions.PagePermission
>>> "*:LeftMenu/mylogo.png", "view";
>>>
>>> Also, LeftMenu usually is a page that should be shown to all users, so
>> the
>>> following permission, also inside the anonymous role block, should also
>> do
>>> the trick and allow anonymous view on both Page and Attachment:
>>>
>>> permission org.apache.wiki.auth.permissions.PagePermission "*:LeftMenu",
>>> "view";
>>>
>>>
>>> HTH,
>>> juan pablo
>>>
>>> On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <ga...@pobox.com>
>> wrote:
>>>> I have a site that I've set up as read-only except for users who are in
>>>> a particular group. For the most part, that works well. What doesn't
>>>> seem to work is showing the site logo to users who are not logged in.
>>>> When I try to directly access
>>>> http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get the
>>>> Forbidden page, where it mentions "It is also possible that JSPWiki
>>>> cannot find its security policy, or that the policy is not configured
>>>> correctly. Either of these cases would cause JSPWiki to block access,
>> too."
>>>> Is attachment policy different than page policy? Do you have to be able
>>>> to modify a page in order to view an attachment? What do I need to do to
>>>> fix this? I've read
>>>> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
>>>> don't see anything there that addresses this specifically.
>>>>
>>>> Thanks,
>>>> Gary
>>>>
>>
Re: attachment security policy
Posted by Juan Pablo Santos Rodríguez <ju...@gmail.com>.
Hi Gary,
that's weird, before writting previous e-mail I double checked the
suggested approach using the following unit test
@Test
public void testAttachmentAcl() throws Exception {
m_engine.saveText( "TestDefaultPage", "Foo" );
final Attachment att = Wiki.contents().attachment( m_engine,
"TestDefaultPage", "TestAtt.txt" );
att.setAuthor( "FirstPost" );
m_engine.getManager( AttachmentManager.class ).storeAttachment(
att, m_engine.makeAttachmentFile() );
final Permission view = PermissionFactory.getPagePermission(
"*:TestDefaultPage/TestAtt.txt", "view" );
final Permission edit = PermissionFactory.getPagePermission(
"*:TestDefaultPage/TestAtt.txt", "edit" );
final Session session = WikiSessionTest.anonymousSession( m_engine );
Assertions.assertTrue( m_auth.checkPermission( session, view ),
"anonymous view" );
Assertions.assertTrue( m_auth.checkPermission( session, edit ),
"anonymous edit" );
}
and it passes for each of the following permissions on the policy file
grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
//permission org.apache.wiki.auth.permissions.PagePermission "*:*", "edit";
//permission org.apache.wiki.auth.permissions.PagePermission
"*:TestDefaultPage", "edit";
permission org.apache.wiki.auth.permissions.PagePermission
"*:TestDefaultPage/TestAtt.txt", "edit";
};
(same for view permissions on the policy file except for the test's last
assertion) Said that, I misunderstood your original e-mail, I was thinking
that anonymous
users weren't allowed to see (not edit) the wiki. Your policy file should
be enough to allow http://mysite.org/attach/LeftMenu/mylogo.png for
anonymous
users. Does the log show something unsual while accessing/requesting that
file? Would you mind setting the log level to debug to see if anything else
pops up?
I'm preparing the release for 2.11.0-M8 in a while, but will have a closer
look at this after that.
best regards,
juan pablo
On Tue, Dec 8, 2020 at 1:23 AM Gary Kephart <ga...@pobox.com> wrote:
> Juan Pablo,
>
> Thanks for responding. I tried your suggestion but it's still not
> working. Below is my complete jspwiki.policy.
>
> Thanks,
> Gary
>
> grant principal org.apache.wiki.auth.authorize.Role "All" {
> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "view";
> permission org.apache.wiki.auth.permissions.PagePermission
> "*:LeftMenu/mylogo.png", "view";
> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
>
> // read-only for Anonymous users
> grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "view";
> };
>
>
> // read-only for Asserted users
> grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
> } permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "view";
> ;
>
>
> // read-only for Authenticated users
> grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "view";
> };
>
>
> // Members of the group "RegisteredUsers" can create, edit and rename
> pages.
> // They can also view all the groups.
> grant principal org.apache.wiki.auth.GroupPrincipal "RegisteredUsers" {
> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "modify,rename";
> permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
> "view";
> permission org.apache.wiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> };
>
>
> grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
> permission org.apache.wiki.auth.permissions.AllPermission "*";
> };
> grant principal org.apache.wiki.auth.authorize.Role "Admin" {
> permission org.apache.wiki.auth.permissions.AllPermission "*";
> };
>
>
> On 12/7/2020 6:00 AM, Juan Pablo Santos Rodríguez wrote:
> > Hi Gary,
> >
> > inside JSPWiki, Attachments are considered a special type of Pages, so
> the
> > same policy rules & syntax should apply. In this case, the following
> > permission inside the anonymous role block should be enough:
> >
> > permission org.apache.wiki.auth.permissions.PagePermission
> > "*:LeftMenu/mylogo.png", "view";
> >
> > Also, LeftMenu usually is a page that should be shown to all users, so
> the
> > following permission, also inside the anonymous role block, should also
> do
> > the trick and allow anonymous view on both Page and Attachment:
> >
> > permission org.apache.wiki.auth.permissions.PagePermission "*:LeftMenu",
> > "view";
> >
> >
> > HTH,
> > juan pablo
> >
> > On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <ga...@pobox.com>
> wrote:
> >
> >> I have a site that I've set up as read-only except for users who are in
> >> a particular group. For the most part, that works well. What doesn't
> >> seem to work is showing the site logo to users who are not logged in.
> >> When I try to directly access
> >> http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get the
> >> Forbidden page, where it mentions "It is also possible that JSPWiki
> >> cannot find its security policy, or that the policy is not configured
> >> correctly. Either of these cases would cause JSPWiki to block access,
> too."
> >>
> >> Is attachment policy different than page policy? Do you have to be able
> >> to modify a page in order to view an attachment? What do I need to do to
> >> fix this? I've read
> >> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
> >> don't see anything there that addresses this specifically.
> >>
> >> Thanks,
> >> Gary
> >>
>
>
Re: attachment security policy
Posted by Gary Kephart <ga...@pobox.com>.
Juan Pablo,
Thanks for responding. I tried your suggestion but it's still not
working. Below is my complete jspwiki.policy.
Thanks,
Gary
grant principal org.apache.wiki.auth.authorize.Role "All" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view";
permission org.apache.wiki.auth.permissions.PagePermission
"*:LeftMenu/mylogo.png", "view";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"editProfile";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"login";
};
// read-only for Anonymous users
grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view";
};
// read-only for Asserted users
grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
} permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view";
;
// read-only for Authenticated users
grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view";
};
// Members of the group "RegisteredUsers" can create, edit and rename pages.
// They can also view all the groups.
grant principal org.apache.wiki.auth.GroupPrincipal "RegisteredUsers" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
"view";
permission org.apache.wiki.auth.permissions.GroupPermission
"*:<groupmember>", "edit";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
};
grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
permission org.apache.wiki.auth.permissions.AllPermission "*";
};
grant principal org.apache.wiki.auth.authorize.Role "Admin" {
permission org.apache.wiki.auth.permissions.AllPermission "*";
};
On 12/7/2020 6:00 AM, Juan Pablo Santos Rodríguez wrote:
> Hi Gary,
>
> inside JSPWiki, Attachments are considered a special type of Pages, so the
> same policy rules & syntax should apply. In this case, the following
> permission inside the anonymous role block should be enough:
>
> permission org.apache.wiki.auth.permissions.PagePermission
> "*:LeftMenu/mylogo.png", "view";
>
> Also, LeftMenu usually is a page that should be shown to all users, so the
> following permission, also inside the anonymous role block, should also do
> the trick and allow anonymous view on both Page and Attachment:
>
> permission org.apache.wiki.auth.permissions.PagePermission "*:LeftMenu",
> "view";
>
>
> HTH,
> juan pablo
>
> On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <ga...@pobox.com> wrote:
>
>> I have a site that I've set up as read-only except for users who are in
>> a particular group. For the most part, that works well. What doesn't
>> seem to work is showing the site logo to users who are not logged in.
>> When I try to directly access
>> http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get the
>> Forbidden page, where it mentions "It is also possible that JSPWiki
>> cannot find its security policy, or that the policy is not configured
>> correctly. Either of these cases would cause JSPWiki to block access, too."
>>
>> Is attachment policy different than page policy? Do you have to be able
>> to modify a page in order to view an attachment? What do I need to do to
>> fix this? I've read
>> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
>> don't see anything there that addresses this specifically.
>>
>> Thanks,
>> Gary
>>
Re: attachment security policy
Posted by Juan Pablo Santos Rodríguez <ju...@gmail.com>.
Hi Gary,
inside JSPWiki, Attachments are considered a special type of Pages, so the
same policy rules & syntax should apply. In this case, the following
permission inside the anonymous role block should be enough:
permission org.apache.wiki.auth.permissions.PagePermission
"*:LeftMenu/mylogo.png", "view";
Also, LeftMenu usually is a page that should be shown to all users, so the
following permission, also inside the anonymous role block, should also do
the trick and allow anonymous view on both Page and Attachment:
permission org.apache.wiki.auth.permissions.PagePermission "*:LeftMenu",
"view";
HTH,
juan pablo
On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <ga...@pobox.com> wrote:
> I have a site that I've set up as read-only except for users who are in
> a particular group. For the most part, that works well. What doesn't
> seem to work is showing the site logo to users who are not logged in.
> When I try to directly access
> http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get the
> Forbidden page, where it mentions "It is also possible that JSPWiki
> cannot find its security policy, or that the policy is not configured
> correctly. Either of these cases would cause JSPWiki to block access, too."
>
> Is attachment policy different than page policy? Do you have to be able
> to modify a page in order to view an attachment? What do I need to do to
> fix this? I've read
> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
> don't see anything there that addresses this specifically.
>
> Thanks,
> Gary
>