You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by "Carlson, Eric R" <er...@kroger.com> on 2009/03/31 21:03:14 UTC
RE: ALLOW tag not working properly
All,
Sorry for the long delay, but I'm getting requested to look into this problem again, and I haven't been looking at it for a month. I ran admin/SecurityConfig.jsp and it didn't advise of any errors. So I set up security logging and set the security level to DEBUG. The security log doesn't seem to kick out any messages when I access the page with the ALLOW directive. The last message that appears here was put into the security log before I accessed the page with the ALLOW directives.
Here's the total security log :
2009-03-31 14:50:44,201 DEBUG - WikiSecurityEvent.UNKNOWN (32) [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6, princpal=com.ecyrd.jspwiki.auth.WikiPrincipal Eric R. Carlson, target=com.ecyrd.jspwiki.WikiSession@69b669b6]
2009-03-31 14:51:16,063 DEBUG - WikiSecurityEvent.UNKNOWN (32) [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6, princpal=com.ecyrd.jspwiki.auth.WikiPrincipal Eric R. Carlson, target=com.ecyrd.jspwiki.WikiSession@69b669b6]
2009-03-31 14:51:42,793 DEBUG - WikiSecurityEvent.UNKNOWN (32) [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6, princpal=com.ecyrd.jspwiki.auth.WikiPrincipal Eric R. Carlson, target=com.ecyrd.jspwiki.WikiSession@69b669b6]
2009-03-31 14:51:50,608 DEBUG - WikiSecurityEvent.UNKNOWN (32) [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6, princpal=com.ecyrd.jspwiki.auth.WikiPrincipal Eric R. Carlson, target=com.ecyrd.jspwiki.WikiSession@69b669b6]
2009-03-31 14:51:50,952 INFO - WikiSecurityEvent.LOGIN_AUTHENTICATED [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6, princpal=com.ibm.security.auth.OS390UserPrincipal XK00033, target=com.ecyrd.jspwiki.WikiSession@69b669b6]
2009-03-31 14:51:50,960 DEBUG - WikiSecurityEvent.LOGIN_AUTHENTICATED [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6, princpal=com.ibm.security.auth.OS390UserPrincipal XK00033, target=com.ecyrd.jspwiki.WikiSession@69b669b6]
2009-03-31 14:51:51,035 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6, princpal=com.ibm.security.auth.OS390UserPrincipal XK00033, target=com.ecyrd.jspwiki.WikiSession@69b669b6]
Any ideas as to why the ALLOW tag isn't preventing access to my test page?
Eric R. Carlson
Eric.Carlson@kroger.com
-----Original Message-----
From: Harry Metske [mailto:harry.metske@gmail.com]
Sent: Thursday, February 12, 2009 12:09 PM
To: jspwiki-user@incubator.apache.org
Subject: Re: ALLOW tag not working properly
well, that is completely correct.
So, if you think SecurityConfig.jsp does not reveal any misconfig or
something like that, I would start with the second step, which is turning on
debug, and see what the security.log says.
Harry
2009/2/12 Carlson, Eric R <er...@kroger.com>
> I was able to get the admin/SecurityConfig.jsp page working. It gives me a
> ton of information - more than I can easily digest at first glance. I'll
> be happy to share it with anyone who might be able to help, but I don't feel
> real comfortable sending the output to the mailing list because of security
> concerns. If nothing else, it doesn't appear to find any security
> problems.
>
> But I guess I'm a little confused about the way the [{ALLOW view userid}]
> functions. Since it is part of the JSPWiki page text, I would think it
> would have to be processed at the level where the page is being viewed, not
> through the security setup. The security setup would decide whether a user
> is allowed to view or edit pages in general. I would imagine that the
> [{ALLOW view userid}] tag works after a user is attempting to pull up the
> page in question - more at the JSPWiki level than at the security level.
>
> Eric R. Carlson
> The Kroger Company
>
> -----Original Message-----
> From: Harry Metske [mailto:harry.metske@gmail.com]
> Sent: Tuesday, February 10, 2009 12:25 PM
> To: jspwiki-user@incubator.apache.org
> Subject: Re: ALLOW tag not working properly
>
> Maybe you can first check a couple of things :
>
> Invoke the admin/SecurityConfig.jsp, it will tell you a lot about your
> security settings.
> (for that to work you need to set jspwiki-x.securityconfig.enable=true in
> jspwiki.properties)
>
> If that does not give any clue, you should increase debug level, you can
> set
> this in jspwiki.properties (at the bottom), recycle the wiki, and see if
> the
> log reveals the cause of the problem.
>
> regards,
> Harry
>
> 2009/2/10 Carlson, Eric R <er...@kroger.com>
>
> > I'm running JSPWiki 2.8.1 under z/OS 1.9 with a pretty-much
> out-of-the-box
> > implementation. The only change I've made to the security settings is
> to
> > limit page edits to authenticated users.
> >
> > I'm trying to limit access to certain pages by issuing the [{ALLOW edit
> > userid}] and [{ALLOW view userid}] statements in the source, but they
> don't
> > seem to be working at all. Anybody can view or edit the page I create.
> > I've tried putting the statements at the beginning and the end of the
> page,
> > but neither seems to make any difference.
> >
> > Any thoughts anybody might have would be greatly appreciated.
> >
> > Eric Carlson
> > The Kroger
> > Company
> >
> >
> >
> > ________________________________
> > This e-mail message, including any attachments, is for the sole use of
> the
> > intended recipient(s) and may contain information that is confidential
> and
> > protected by law from unauthorized disclosure. Any unauthorized review,
> use,
> > disclosure or distribution is prohibited. If you are not the intended
> > recipient, please contact the sender by reply e-mail and destroy all
> copies
> > of the original message.
> >
>
> This e-mail message, including any attachments, is for the sole use of the
> intended recipient(s) and may contain information that is confidential and
> protected by law from unauthorized disclosure. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>
This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: ALLOW tag not working properly
Posted by Harry Metske <ha...@gmail.com>.
Eric,
it is difficult to diagnose from this information.
If you have concerns posting more security related information here, you
might consider filing a security JIRA issue, as long as the issue remains
labeled as security exposure it is only visible to committers and JIRA
administrators and not to everybody on the user and dev list.
We should remove all this information again before closing the issue.
Material that could be usefull for diagnosis:
- jspwiki.policy file
- jspwiki.properties file
- output (html) from admin/SecurityConfig.jsp
- debug level jspwiki.log
- debug level security.log
- the source of the page that "fails"
regards,
Harry
2009/3/31 Carlson, Eric R <er...@kroger.com>
> All,
>
> Sorry for the long delay, but I'm getting requested to look into
> this problem again, and I haven't been looking at it for a month. I ran
> admin/SecurityConfig.jsp and it didn't advise of any errors. So I set up
> security logging and set the security level to DEBUG. The security log
> doesn't seem to kick out any messages when I access the page with the ALLOW
> directive. The last message that appears here was put into the security log
> before I accessed the page with the ALLOW directives.
>
> Here's the total security log :
>
> 2009-03-31 14:50:44,201 DEBUG - WikiSecurityEvent.UNKNOWN (32)
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6,
> princpal=com.ecyrd.jspwiki.auth.WikiPrincipal Eric R. Carlson,
> target=com.ecyrd.jspwiki.WikiSession@69b669b6]
>
> 2009-03-31 14:51:16,063 DEBUG - WikiSecurityEvent.UNKNOWN (32)
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6,
> princpal=com.ecyrd.jspwiki.auth.WikiPrincipal Eric R. Carlson,
> target=com.ecyrd.jspwiki.WikiSession@69b669b6]
>
> 2009-03-31 14:51:42,793 DEBUG - WikiSecurityEvent.UNKNOWN (32)
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6,
> princpal=com.ecyrd.jspwiki.auth.WikiPrincipal Eric R. Carlson,
> target=com.ecyrd.jspwiki.WikiSession@69b669b6]
>
> 2009-03-31 14:51:50,608 DEBUG - WikiSecurityEvent.UNKNOWN (32)
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6,
> princpal=com.ecyrd.jspwiki.auth.WikiPrincipal Eric R. Carlson,
> target=com.ecyrd.jspwiki.WikiSession@69b669b6]
>
> 2009-03-31 14:51:50,952 INFO - WikiSecurityEvent.LOGIN_AUTHENTICATED
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6,
> princpal=com.ibm.security.auth.OS390UserPrincipal XK00033,
> target=com.ecyrd.jspwiki.WikiSession@69b669b6]
>
> 2009-03-31 14:51:50,960 DEBUG - WikiSecurityEvent.LOGIN_AUTHENTICATED
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6,
> princpal=com.ibm.security.auth.OS390UserPrincipal XK00033,
> target=com.ecyrd.jspwiki.WikiSession@69b669b6]
>
> 2009-03-31 14:51:51,035 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD
> [source=com.ecyrd.jspwiki.auth.AuthenticationManager@3fa63fa6,
> princpal=com.ibm.security.auth.OS390UserPrincipal XK00033,
> target=com.ecyrd.jspwiki.WikiSession@69b669b6]
>
> Any ideas as to why the ALLOW tag isn't preventing access to my test
> page?
>
> Eric R. Carlson
>
> Eric.Carlson@kroger.com
>
> -----Original Message-----
> From: Harry Metske [mailto:harry.metske@gmail.com]
> Sent: Thursday, February 12, 2009 12:09 PM
> To: jspwiki-user@incubator.apache.org
> Subject: Re: ALLOW tag not working properly
>
> well, that is completely correct.
> So, if you think SecurityConfig.jsp does not reveal any misconfig or
> something like that, I would start with the second step, which is turning
> on
> debug, and see what the security.log says.
>
> Harry
>
>
> 2009/2/12 Carlson, Eric R <er...@kroger.com>
>
> > I was able to get the admin/SecurityConfig.jsp page working. It gives me
> a
> > ton of information - more than I can easily digest at first glance.
> I'll
> > be happy to share it with anyone who might be able to help, but I don't
> feel
> > real comfortable sending the output to the mailing list because of
> security
> > concerns. If nothing else, it doesn't appear to find any security
> > problems.
> >
> > But I guess I'm a little confused about the way the [{ALLOW view userid}]
> > functions. Since it is part of the JSPWiki page text, I would think it
> > would have to be processed at the level where the page is being viewed,
> not
> > through the security setup. The security setup would decide whether a
> user
> > is allowed to view or edit pages in general. I would imagine that the
> > [{ALLOW view userid}] tag works after a user is attempting to pull up the
> > page in question - more at the JSPWiki level than at the security level.
> >
> > Eric R. Carlson
> > The Kroger Company
> >
> > -----Original Message-----
> > From: Harry Metske [mailto:harry.metske@gmail.com]
> > Sent: Tuesday, February 10, 2009 12:25 PM
> > To: jspwiki-user@incubator.apache.org
> > Subject: Re: ALLOW tag not working properly
> >
> > Maybe you can first check a couple of things :
> >
> > Invoke the admin/SecurityConfig.jsp, it will tell you a lot about your
> > security settings.
> > (for that to work you need to set jspwiki-x.securityconfig.enable=true in
> > jspwiki.properties)
> >
> > If that does not give any clue, you should increase debug level, you can
> > set
> > this in jspwiki.properties (at the bottom), recycle the wiki, and see if
> > the
> > log reveals the cause of the problem.
> >
> > regards,
> > Harry
> >
> > 2009/2/10 Carlson, Eric R <er...@kroger.com>
> >
> > > I'm running JSPWiki 2.8.1 under z/OS 1.9 with a pretty-much
> > out-of-the-box
> > > implementation. The only change I've made to the security settings is
> > to
> > > limit page edits to authenticated users.
> > >
> > > I'm trying to limit access to certain pages by issuing the [{ALLOW edit
> > > userid}] and [{ALLOW view userid}] statements in the source, but they
> > don't
> > > seem to be working at all. Anybody can view or edit the page I create.
> > > I've tried putting the statements at the beginning and the end of the
> > page,
> > > but neither seems to make any difference.
> > >
> > > Any thoughts anybody might have would be greatly appreciated.
> > >
> > > Eric Carlson
> > > The Kroger
> > > Company
> > >
> > >
> > >
> > > ________________________________
> > > This e-mail message, including any attachments, is for the sole use of
> > the
> > > intended recipient(s) and may contain information that is confidential
> > and
> > > protected by law from unauthorized disclosure. Any unauthorized review,
> > use,
> > > disclosure or distribution is prohibited. If you are not the intended
> > > recipient, please contact the sender by reply e-mail and destroy all
> > copies
> > > of the original message.
> > >
> >
> > This e-mail message, including any attachments, is for the sole use of
> the
> > intended recipient(s) and may contain information that is confidential
> and
> > protected by law from unauthorized disclosure. Any unauthorized review,
> use,
> > disclosure or distribution is prohibited. If you are not the intended
> > recipient, please contact the sender by reply e-mail and destroy all
> copies
> > of the original message.
> >
>
> This e-mail message, including any attachments, is for the sole use of the
> intended recipient(s) and may contain information that is confidential and
> protected by law from unauthorized disclosure. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>