[
https://issues.apache.org/jira/browse/JSPWIKI-924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046298#comment-15046298
]
Steven Walsh commented on JSPWIKI-924:
--------------------------------------
I have been studying Security Configuration Verifier : Security Policy
Restrictions table some more and made a few changes to the jspwiki.policy for
the 'approved' user and no changes for the 'unapproved' user, so it now looks
like this:
grant principal org.apache.wiki.auth.authorize.Role "approved" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view,edit,modify,rename,upload";
permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
"view,edit";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"createPages,login,editPreferences";
};
grant principal org.apache.wiki.auth.authorize.Role "unapproved" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*", "view";
permission org.apache.wiki.auth.permissions.GroupPermission "*:*", "view";
permission org.apache.wiki.auth.permissions.WikiPermission "*", "view";
};
This allowed the 'approved' user to rename the pages they should be allowed to
rename, but attachments still fail.
It also gave the 'approved' user edit permission for all of the GroupPermission
entries in the table.
It also gave the 'approved' user permission for the wikiPermission login entry
in the table.
Again, with all of these changes, the approved user cannot add attachments.
I also noted that in the "Web Container Restrictions" section, my 'unapproved'
user is showing permission for all actions except delete pages. That is not how
it is supposed to be, as I have not changed the 'unapproved' user settings. The
'unapproved' user should only have view permissions. Although I said it was
correct in my previous comment, I won't swear to it. The "visual image" of this
table seems identical to the one in my previous comment, so I question if my
previous observation was correct. Whatever it was then, it is definitely
incorrect now.
Finally, in the last section of the Security Configuration Verifier : Users and
Group Databases section, it says it is using the jspwiki.userdatabase property
of my jspwiki.properties to verify users and groups. I do not have such an
entry in my jspwiki.properties file. The results of this section are:
UserDatabase is of type 'org.apache.wiki.auth.user.XMLUserDatabase'. It
appears to be initialized properly.
The user database contains 0 users.
The user database allows new users to be created, as it should.
The user database allows users to be deleted, as it should.
The user database configuration looks fine.
GroupDatabase is of type 'org.apache.wiki.auth.authorize.XMLGroupDatabase'.
It appears to be initialized properly.
The group database contains 0 groups.
The group database allows new groups to be created, as it should.
The group database allows groups to be deleted, as it should.
The group database configuration looks fine.
I did not have a userdatabase.xml or groupdatabase.xml before I started tomcat,
but an empty version of each was created at timestamp 20:26 after the
following start-up run. During the jspwiki start-up process, the following
entries are in the log file:
2015-12-07 20:15:35.588 [localhost-startStop-1] INFO WebContainerAuthorizer
388 - Examining jndi:/localhost/JSPWiki/WEB-INF/web.xml
2015-12-07 20:15:35.590 [localhost-startStop-1] DEBUG WebContainerAuthorizer
393 - Processing web.xml at jndi:/localhost/JSPWiki/WEB-INF/web.xml
2015-12-07 20:15:35.693 [localhost-startStop-1] INFO WebContainerAuthorizer
114 - JSPWiki is using container-managed authentication.
2015-12-07 20:15:35.694 [localhost-startStop-1] INFO WebContainerAuthorizer
139 - JSPWiki determined the web container manages these roles:
[org.apache.wiki.auth.authorize.Role: unapproved]
[org.apache.wiki.auth.authorize.Role: admin]
[org.apache.wiki.auth.authorize.Role: approved]
2015-12-07 20:15:35.694 [localhost-startStop-1] INFO WebContainerAuthorizer
141 - Authorizer WebContainerAuthorizer initialized successfully.
2015-12-07 20:15:35.694 [localhost-startStop-1] INFO AuthenticationManager 610
- looking for jspwiki.policy inside WEB-INF
2015-12-07 20:15:35.695 [localhost-startStop-1] INFO AuthorizationManager 500
- We found security policy URL:
file:/home/testwiki/src/eclipse-workbench/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/JSPWiki/WEB-INF/jspwiki.policy
and transformed it to file
/home/testwiki/src/eclipse-workbench/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/JSPWiki/WEB-INF/jspwiki.policy
2015-12-07 20:15:35.747 [localhost-startStop-1] INFO AuthorizationManager 503
- Initialized default security policy:
/home/testwiki/src/eclipse-workbench/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/JSPWiki/WEB-INF/jspwiki.policy
2015-12-07 20:15:35.753 [localhost-startStop-1] INFO GroupManager 153 -
Attempting to load group database class
org.apache.wiki.auth.authorize.XMLGroupDatabase
2015-12-07 20:15:35.756 [localhost-startStop-1] WARN XMLGroupDatabase 198 -
XML group database property jspwiki.xmlGroupDatabaseFile not found; trying
/home/testwiki/src/eclipse-workbench/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/JSPWiki/WEB-INF/groupdatabase.xml
2015-12-07 20:15:35.757 [localhost-startStop-1] INFO XMLGroupDatabase 206 -
XML group database at
/home/testwiki/src/eclipse-workbench/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/JSPWiki/WEB-INF/groupdatabase.xml
2015-12-07 20:15:35.771 [localhost-startStop-1] INFO XMLGroupDatabase 275 -
Group database not found; creating from scratch...
2015-12-07 20:15:35.773 [localhost-startStop-1] INFO GroupManager 157 - Group
database initialized.
2015-12-07 20:15:35.782 [localhost-startStop-1] INFO XMLGroupDatabase 275 -
Group database not found; creating from scratch...
2015-12-07 20:15:35.785 [localhost-startStop-1] INFO GroupManager 243 -
Authorizer GroupManager initialized successfully; loaded 0 group(s).
2015-12-07 20:15:35.816 [localhost-startStop-1] INFO DefaultAdminBeanManager
67 - Using JDK 1.5 Platform MBeanServer
2015-12-07 20:15:35.819 [localhost-startStop-1] INFO DefaultAdminBeanManager
73 - com.sun.jmx.mbeanserver.JmxMBeanServer
2015-12-07 20:15:35.820 [localhost-startStop-1] INFO DefaultAdminBeanManager
74 - DefaultDomain
2015-12-07 20:15:35.825 [localhost-startStop-1] INFO DefaultAdminBeanManager
122 - Registered new admin bean Core bean
2015-12-07 20:15:35.831 [localhost-startStop-1] INFO DefaultAdminBeanManager
122 - Registered new admin bean User administration
2015-12-07 20:15:35.834 [localhost-startStop-1] INFO DefaultAdminBeanManager
122 - Registered new admin bean Search manager
2015-12-07 20:15:35.854 [localhost-startStop-1] INFO DefaultAdminBeanManager
122 - Registered new admin bean Plugins
2015-12-07 20:15:35.859 [localhost-startStop-1] INFO DefaultAdminBeanManager
122 - Registered new admin bean Plain editor
2015-12-07 20:15:35.869 [localhost-startStop-1] INFO DefaultFilterManager 416
- Registering filters
2015-12-07 20:15:35.873 [localhost-startStop-1] DEBUG XmlUtil 73 - reading
jar:file:/home/testwiki/src/eclipse-workbench/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/JSPWiki/WEB-INF/lib/jspwiki-war-2.10.1.jar!/ini/jspwiki_module.xml
... leaving out all the filter startup stuff ...
2015-12-07 20:15:36.212 [localhost-startStop-1] DEBUG WikiSession 727 - Looking
up WikiSession for NULL HttpRequest: returning guestSession()
2015-12-07 20:15:36.215 [localhost-startStop-1] DEBUG WikiContext 248 -
Creating WikiContext for session ID=(null); target=LeftMenuFooter
2015-12-07 20:15:36.238 [localhost-startStop-1] INFO UserManager 164 -
Attempting to load user database class org.apache.wiki.auth.user.XMLUserDatabase
2015-12-07 20:15:36.241 [localhost-startStop-1] WARN AbstractUserDatabase 287
- XML user database property jspwiki.xmlUserDatabaseFile not found; trying
/home/testwiki/src/eclipse-workbench/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/JSPWiki/WEB-INF/userdatabase.xml
2015-12-07 20:15:36.246 [localhost-startStop-1] INFO AbstractUserDatabase 295
- XML user database at
/home/testwiki/src/eclipse-workbench/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/JSPWiki/WEB-INF/userdatabase.xml
2015-12-07 20:15:36.256 [localhost-startStop-1] INFO AbstractUserDatabase 326
- User database not found; creating from scratch...
2015-12-07 20:15:36.263 [localhost-startStop-1] INFO UserManager 168 -
UserDatabase initialized.
> Attachments fail using JAAS SSO container authentication
> --------------------------------------------------------
>
> Key: JSPWIKI-924
> URL: https://issues.apache.org/jira/browse/JSPWIKI-924
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.10.1
> Environment: CentOS 6.5 OS, Tomcat 7.0.42, 32-byte single line plain
> text attachment test file.
> Reporter: Steven Walsh
> Priority: Minor
> Attachments: jspwiki.policy-extract
>
>
> I'm trying to implement JSPWiki in a JAAS authentication
> SSO environment. I have installed JSPWiki and made some
> minor adjustments to the jspwiki.policy to account for
> different user role names, and everything seems to be
> working OK, except for one thing. None of the users
> (including the administrator) can add attachments to
> any of the pages. If I run the wiki standalone, (outside
> JAAS), attachments work fine.
> I'm using JSPWiki 2.10.1 with Tomcat 7.0.42 on a CentOS
> 6.5 server. My attachment test file is a one-line 32 byte text file.
> I have three basic user roles, all require JAAS authorization
> to access the wiki. User roles are admin, approved (read
> and write for most pages), and unapproved (read only).
> I'm fairly confident that the authentication methods are
> working properly as all page permissions are working as
> expected for each user type.
> But when any admin or approved user tries to add an
> attachment to any page, they get redirected to an Error.jsp
> page showing a java.lang.Exception. To try and track down
> the error source, I rewrote the AttachmentServlet class
> and added a number of additional debug messages.
> Based on what I'm seeing, it appears to me that the error
> is caused by the upload.parseRequest ( req ) returning
> an empty List<FileItem> fileItems in the upload method.
> I added a debug line to verify the contents of the request
> and it is properly populated entering the upload method,
> but it is consumed @ req.getParameter( "progressid" ).
> I commented out the use of the progress bar and found
> the request consumption moves to the context creation
> @ m_engine.createContext( req, WikiContext.ATTACH );
> Once it is consumed there, there is nothing left for the
> upload.parseRequest (req ) to read.
> I realize that I consumed the request by reading it for the
> debug message, but I only used it once per test run to
> determine where it was consumed. In the following log
> extract, that was at time 2015-11-25 14:05:41.892,
> which was after the createContext and before the
> upload.parseRequest.
> I'm inexperienced with the doFilter mechanism, and I see
> that it is part of the exception dump, and I don't know if
> that is working or not, but since upload.parseRequest ( req )
> is returning an empty fileItems list, I suspect there is
> something going on there. But I'm in over my head here.
> This is the log extract, starting right after the container JAAS
> has authorized the user.
> =================
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG AttachmentServlet 168 -
> UploadServlet initialized. Using /home/testwiki/storage//attach-tmp for
> temporary storage.
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG WikiSession 851 - Custom
> com.apache.wiki.WikiSession.isIPV4Address has been entered
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG WikiServletFilter 164 -
> Executed security filters for user=AdminUser, path=/TestWiki/attach
> 2015-11-25 14:05:41.799 [http-bio-8080-exec-1] DEBUG AttachmentServlet 437 -
> AttachmentServlet doPost entered
> 2015-11-25 14:05:41.799 [http-bio-8080-exec-1] DEBUG AttachmentServlet 490 -
> AttachmentServlet upload entered
> 2015-11-25 14:05:41.820 [http-bio-8080-exec-1] DEBUG AttachmentServlet 509 -
> AttachmentServlet upload; starting try
> 2015-11-25 14:05:41.887 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.888 [http-bio-8080-exec-1] DEBUG WikiContext 248 -
> Creating WikiContext for session ID=8974D02E77F76467ACB66B0EAC09C4D7;
> target=Main
> 2015-11-25 14:05:41.892 [http-bio-8080-exec-1] DEBUG AttachmentServlet 515 -
> AttachmentServlet upload; after wikiContext req=
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 535 -
> AttachmentServlet upload; fileItems.size()=0
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 536 -
> AttachmentServlet upload; before for loop
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 579 -
> AttachmentServlet upload; after for loop
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 583 -
> AttachmentServlet upload; fileItems size was 0; doing redirect to errorPage
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 640 -
> AttachmentServlet upload; after multiple catch, in finally
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 451 -
> AttachmentServlet doPost catch doing redirect
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 454 -
> AttachmentServlet doPost exiting
> 2015-11-25 14:05:41.944 [http-bio-8080-exec-2] DEBUG WikiServletFilter 107 -
> Using ByteArrayResponseWrapper
> 2015-11-25 14:05:41.944 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG WikiSession 851 - Custom
> com.apache.wiki.WikiSession.isIPV4Address has been entered
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG WikiServletFilter 164 -
> Executed security filters for user=AdminUser, path=/TestWiki/Error.jsp
> 2015-11-25 14:05:41.963 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 -
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7...
> found it
> 2015-11-25 14:05:41.965 [http-bio-8080-exec-2] DEBUG WikiContext 248 -
> Creating WikiContext for session ID=8974D02E77F76467ACB66B0EAC09C4D7;
> target=Error
> 2015-11-25 14:05:41.966 [http-bio-8080-exec-2] DEBUG JSPWiki 125 - Error.jsp
> exception is:
> 2015-11-25 14:05:41.967 [http-bio-8080-exec-2] ERROR WikiTagBase 84 -
> WikiTagBase pageContext IS NOT NULL
> 2015-11-25 14:05:41.970 [http-bio-8080-exec-2] ERROR WikiTagBase 97 - Tag
> failed
> javax.servlet.jsp.JspException: WikiContext may not be NULL - serious
> internal problem!
> at org.apache.wiki.tags.WikiTagBase.doStartTag(WikiTagBase.java:90)
> at
> org.apache.jsp.Error_jsp._jspx_meth_wiki_005fMessages_005f0(Error_jsp.java:193)
>
> at org.apache.jsp.Error_jsp._jspService(Error_jsp.java:138)
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
>
> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>
> at org.apache.wiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:177)
> at org.apache.wiki.ui.WikiJSPFilter.doFilter(WikiJSPFilter.java:121)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
> at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:341)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
>
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> at java.lang.Thread.run(Thread.java:724)
> 2015-11-25 14:05:41.973 [http-bio-8080-exec-2] ERROR WikiTagBase 116 - Tag
> failed, check logs: WikiContext may not be NULL - serious internal problem!
> javax.servlet.jsp.JspException: Tag failed, check logs: WikiContext may not
> be NULL - serious internal problem!
> at org.apache.wiki.tags.WikiTagBase.doStartTag(WikiTagBase.java:98)
> at
> org.apache.jsp.Error_jsp._jspx_meth_wiki_005fMessages_005f0(Error_jsp.java:193)
>
> at org.apache.jsp.Error_jsp._jspService(Error_jsp.java:138)
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
>
> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>
> at org.apache.wiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:177)
> at org.apache.wiki.ui.WikiJSPFilter.doFilter(WikiJSPFilter.java:121)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
> at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:341)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
>
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> at java.lang.Thread.run(Thread.java:724)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
