You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by Milton Taylor <mc...@gmail.com> on 2008/01/21 05:35:58 UTC
Is the Authenticated role name "hard wired?"
I have just upgraded our internal wiki to 2.6.1-cvs-7 and am puzzled by
something.
I'm using container based authentication (under jBoss). I have set this
up to use both ldap and jdbc to authenticate users. LDAP holds the
internal users, and the database holds the external users. The initial
role I gave the external users was "WikiUser". This role is in turn
specified in both web.xml and the jspwiki.policy file, and is supposed
to give read-only access to the wiki. In contrast, the "Authenticated"
role is allowed read-write access and is used by the internal users.
What I have found though is that the system behaves as if every user who
has authenticated successfully is implicitly a member of role
'Authenticated' even though the users had not been explicitly given
this role. I was able to confirm this by switching things around, so
that the Authenticated role only gave them view privileges, and to get
read/write access required being a member of role 'WikiEditor', which
had its own rights granted in the policy file.
Is this intentional? i.e. Changing the standard role names in the
policy file to something else doesn't necessarily work correctly.
Also, I assume that privileges are additive, in that if you are a member
of some extra role, you will get whatever rights are granted by that
role in the policy file in addition to whatever rights are granted by
the Authenticated role?
Thanks,
Milt.
Re: Is the Authenticated role name "hard wired?"
Posted by Murray Altheim <mu...@altheim.com>.
Janne Jalkanen wrote:
[...]
> The fact that they all start with an "A" is just a coincidence, has
> nothing to do with the fact that Andrew's name starts also with an "A",
> and no mysterious black cars or grey beings with flashing lights have
> ever been seen outside mine or Andrew's apartment.
Then what the heck are those mysterious cars and grey thingamabobs with
flashing lights doing outside my apartm... aaaaahhheeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
Re: Is the Authenticated role name "hard wired?"
Posted by Janne Jalkanen <Ja...@ecyrd.com>.
> What I have found though is that the system behaves as if every
> user who has authenticated successfully is implicitly a member of
> role 'Authenticated' even though the users had not been explicitly
> given this role. I was able to confirm this by switching things
> around, so that the Authenticated role only gave them view
> privileges, and to get read/write access required being a member of
> role 'WikiEditor', which had its own rights granted in the policy
> file.
Yes, this is correct. Authenticated is a role which is given to
anyone who is, well, authenticated. Same thing with Asserted. These
are known as "built-in" roles, and we have four of them: All,
Asserted, Authenticated and Admin.
The fact that they all start with an "A" is just a coincidence, has
nothing to do with the fact that Andrew's name starts also with an
"A", and no mysterious black cars or grey beings with flashing lights
have ever been seen outside mine or Andrew's apartment.
/Janne