You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Juan Pablo Santos RodrÃguez (JIRA)" <ji...@apache.org> on 2014/05/20 23:29:40 UTC
[jira] [Commented] (JSPWIKI-841) Container Managed Security Not
Working
[ https://issues.apache.org/jira/browse/JSPWIKI-841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14004002#comment-14004002 ]
Juan Pablo Santos RodrÃguez commented on JSPWIKI-841:
-----------------------------------------------------
Hi Owen,
there's no need to set jspwiki.security to off in order to use container-managed security, uncommenting the security constraints in the deployment descriptor should be enough (provided that the container managed configuration is properly set up). See this [web.xml|http://svn.apache.org/repos/asf/jspwiki/trunk/jspwiki-it-tests/jspwiki-it-test-cma/src/main/webapp/WEB-INF/web.xml] for an example against this [tomcat configuration|http://svn.apache.org/repos/asf/jspwiki/trunk/jspwiki-it-tests/jspwiki-selenium-tests/src/main/config/tomcatconf], or a more complex case at [Dave's Koelmeyer blog|http://blog.davekoelmeyer.co.nz/2012/01/28/container-based-authentication-with-jspwiki-glassfish-and-opendj/].
Also, as you point out, AuthorizationManager#initialize(..) begins with:
{code}
@SuppressWarnings("deprecation")
public void initialize( WikiEngine engine, Properties properties ) throws WikiException
{
m_engine = engine;
m_useJAAS = AuthenticationManager.SECURITY_JAAS.equals( properties.getProperty(AuthenticationManager.PROP_SECURITY, AuthenticationManager.SECURITY_JAAS ) );
if( !m_useJAAS ) return;
[...]
{code}
effectively disabling the security model. I think we should at least log an advice on this and add {{jspwiki.security=jaas}} line as a default property to jspwiki.properties, it's not there anymore, and seems to me it should be there.
> Container Managed Security Not Working
> --------------------------------------
>
> Key: JSPWIKI-841
> URL: https://issues.apache.org/jira/browse/JSPWIKI-841
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication & Authorization
> Affects Versions: 2.10
> Environment: Tomcat 7.0.42
> Java 1.7.0_51
> Windows 2008R2
> Reporter: Owen Farrell
> Fix For: 2.10.1
>
>
> In order to set up container-managed security, I've set set jspwiki.security to 'off' and uncommented the security constraints defined in the deployment descriptor.
> However, by setting jspwiki.security to off, no AuthorizationManager registers itself with the WikiEngine. As a result, all logins fail with the following exception:
> {quote}
> INFO SecurityLog JSPWiki:/wiki/Edit.jsp - WikiSecurityEvent.LOGIN_AUTHENTICATED [source=org.apache.wiki.auth.AuthenticationManager@1c42c135, princpal=org.apache.catalina.realm.GenericPrincipal ofarrell, target=org.apache.wiki.WikiSession@1708e9ad]
> WARN org.apache.wiki.WikiSession JSPWiki:/wiki/Edit.jsp - User profile 'ofarrell' not found. This is normal for container-auth users who haven't set up a profile yet.
> org.apache.wiki.auth.WikiSecurityException: Authorizer did not initialize properly. Check the logs.
> at org.apache.wiki.auth.AuthorizationManager.getAuthorizer(AuthorizationManager.java:336)
> at org.apache.wiki.auth.AuthenticationManager.login(AuthenticationManager.java:312)
> at org.apache.wiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:159)
> {quote}
--
This message was sent by Atlassian JIRA
(v6.2#6252)