Is the Authenticated role name "hard wired?"

[Milton Taylor <mc...@gmail.com>]

I have just upgraded our internal wiki to 2.6.1-cvs-7 and am puzzled by 
something.

I'm using container based authentication (under jBoss). I have set this 
up to use both ldap and jdbc to authenticate users. LDAP holds the 
internal users, and the database holds the external users. The initial 
role I gave the external users was "WikiUser". This role is in turn 
specified in both web.xml and the jspwiki.policy file, and is supposed 
to give read-only access to the wiki. In contrast, the "Authenticated" 
role is allowed read-write access and is used by the internal users.

What I have found though is that the system behaves as if every user who 
has authenticated successfully is implicitly a member of role 
'Authenticated' even though the users had not been  explicitly given 
this role. I was able to confirm this by switching things around, so 
that the Authenticated role only gave them view privileges, and to get 
read/write access required being a member of role 'WikiEditor', which 
had its own rights granted in the policy file.

Is this intentional?  i.e. Changing the standard role names in the 
policy file to something else doesn't necessarily work correctly.

Also, I assume that privileges are additive, in that if you are a member 
of some extra role, you will get whatever rights are granted by that 
role in the policy file in addition to whatever rights are granted by 
the Authenticated role?

Thanks,
Milt.

Re: Is the Authenticated role name "hard wired?"

[Murray Altheim <mu...@altheim.com>]

Janne Jalkanen wrote:
[...]
> The fact that they all start with an "A" is just a coincidence, has 
> nothing to do with the fact that Andrew's name starts also with an "A", 
> and no mysterious black cars or grey beings with flashing lights have 
> ever been seen outside mine or Andrew's apartment.

Then what the heck are those mysterious cars and grey thingamabobs with
flashing lights doing outside my apartm...   aaaaahhheeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

...........................................................................
Murray Altheim <murray07 at altheim.com>                           ===  = =
http://www.altheim.com/murray/                                     = =  ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk               = =  = =

       Boundless wind and moon - the eye within eyes,
       Inexhaustible heaven and earth - the light beyond light,
       The willow dark, the flower bright - ten thousand houses,
       Knock at any door - there's one who will respond.
                                       -- The Blue Cliff Record

Re: Is the Authenticated role name "hard wired?"

[Janne Jalkanen <Ja...@ecyrd.com>]

> What I have found though is that the system behaves as if every  
> user who has authenticated successfully is implicitly a member of  
> role 'Authenticated' even though the users had not been  explicitly  
> given this role. I was able to confirm this by switching things  
> around, so that the Authenticated role only gave them view  
> privileges, and to get read/write access required being a member of  
> role 'WikiEditor', which had its own rights granted in the policy  
> file.

Yes, this is correct.  Authenticated is a role which is given to  
anyone who is, well, authenticated.  Same thing with Asserted.  These  
are known as "built-in" roles, and we have four of them: All,  
Asserted, Authenticated and Admin.

The fact that they all start with an "A" is just a coincidence, has  
nothing to do with the fact that Andrew's name starts also with an  
"A", and no mysterious black cars or grey beings with flashing lights  
have ever been seen outside mine or Andrew's apartment.

/Janne