You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by "Lannaud, Eric" <E....@unesco.org> on 2012/02/07 15:25:26 UTC
Edit.jsp Ok only for the LDAP group and not for the authenticate User. "local user database" and "Container-Managed Authentification"
Hi,
My config : JSPWiki v2.8.4 Ubuntu 10.04 tomcat6 6.0.24-2, sun-java6-jdk
1.6.0_26-b03 ActiveDirectory LDAP.
I use an custom authentication (Container-Managed Authentication) via
AD. It runs well.
I create a AD group for a specific role. Any user in this AD group can
rename, edit,..
The AD users who are authentificated and are not in the AD group cannot
edit the page.
Jspwiki.policy bellow doesn't work "grant principal
com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {" see the entire
file bellow
I read on the mailing list archive than there are an "overlap" between
"local user database" and "Container-Managed Authentification".
I don't find the solution.
Below my web.xml, jspwiki.policy
-------------------------------------
Web.xml (AD group cname is "eri_wiki"
-------------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>eri_wiki</role-name>
<role-name>Admin</role-name>
</auth-constraint>
<!--
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
-->
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<url-pattern>/Comment.jsp</url-pattern>
<url-pattern>/Login.jsp</url-pattern>
<url-pattern>/NewGroup.jsp</url-pattern>
<url-pattern>/Rename.jsp</url-pattern>
<url-pattern>/Upload.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Read-only Area</web-resource-name>
<url-pattern>/attach</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>eri_wiki</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.jsp</form-login-page>
<form-error-page>/LoginForm.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
This logical role includes all authenticated users
</description>
<role-name>Authenticated</role-name>
</security-role>
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>Admin</role-name>
</security-role>
<security-role>
<description>
This logical role includes all eri wiki users
</description>
<role-name>eri_wiki</role-name>
</security-role>
-----------------------------------------------------------
Jspwiki.policy
-----------------------------------------------------------
grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"view";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"view";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"edit";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "eri_wiki" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"view";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"edit";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
};
Thanks
Eric