[jira] [Commented] (JSPWIKI-924) Attachments fail using JAAS SSO container authentication

JIRA Wed, 09 Dec 2015 01:34:28 -0800

    [ 
https://issues.apache.org/jira/browse/JSPWIKI-924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15048372#comment-15048372
 ]


Juan Pablo Santos Rodríguez commented on JSPWIKI-924:
-----------------------------------------------------

Hi Steven,

lot of things on your last comments, so taking one by one. First and foremost, 
using your policy:

{code}
grant principal org.apache.wiki.auth.authorize.Role "approved" { 
    permission org.apache.wiki.auth.permissions.PagePermission "*:*", 
"view,edit,modify,rename,upload"; 
    permission org.apache.wiki.auth.permissions.GroupPermission "*:*", 
"view,edit"; 
    permission org.apache.wiki.auth.permissions.WikiPermission "*", 
"createPages,login,editPreferences"; 
};

grant principal org.apache.wiki.auth.authorize.Role "unapproved" { 
    permission org.apache.wiki.auth.permissions.PagePermission "*:*", "view"; 
    permission org.apache.wiki.auth.permissions.GroupPermission "*:*", "view"; 
    permission org.apache.wiki.auth.permissions.WikiPermission "*", "view"; 
};
{code}

I was able to successfully attach files, so something is going on with the 
authentication mechanism (note that you could simplify the policy as [some 
permissions imply 
others|https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security#section-Wiki.Admin.Security-ImpliedPermissions]).
 Would you mind, on your custom authentication class, checking the roles 
assigned to a user when you're on JSPWiki?  Specifically, when you're editing, 
renaming and attaching a file. First case is to test a given permission, second 
one imlpies upload attachments, and the third one to compare with the other two.

as for the xml files of users and groups, they're harmless, as you're using web 
auth. They get created b/c they're used when you're not using container auth.

regarding the incorrect link, don't think it'll help you're case, since it just 
tells how to configure your tomcat, but I'll edit my comment and fix it for 
future references.

br,
juan pablo

> Attachments fail using JAAS SSO container authentication
> --------------------------------------------------------
>
>                 Key: JSPWIKI-924
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-924
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Core & storage
>    Affects Versions: 2.10.1
>         Environment: CentOS 6.5 OS, Tomcat 7.0.42, 32-byte single line plain 
> text attachment test file.
>            Reporter: Steven Walsh
>            Priority: Minor
>         Attachments: jspwiki.policy-extract
>
>
> I'm trying to implement JSPWiki in a JAAS authentication 
> SSO environment. I have installed JSPWiki and made some 
> minor adjustments to the jspwiki.policy to account for 
> different user role names, and everything seems to be 
> working OK, except for one thing. None of the users 
> (including the administrator) can add attachments to 
> any of the pages. If I run the wiki standalone, (outside 
> JAAS), attachments work fine. 
> I'm using JSPWiki 2.10.1 with Tomcat 7.0.42 on a CentOS 
> 6.5 server. My attachment test file is a one-line 32 byte text file. 
> I have three basic user roles, all require JAAS authorization 
> to access the wiki. User roles are admin, approved (read 
> and write for most pages), and unapproved (read only). 
> I'm fairly confident that the authentication methods are 
> working properly as all page permissions are working as 
> expected for each user type. 
> But when any admin or approved user tries to add an 
> attachment to any page, they get redirected to an Error.jsp 
> page showing a java.lang.Exception. To try and track down 
> the error source, I rewrote the AttachmentServlet class 
> and added a number of additional debug messages. 
> Based on what I'm seeing, it appears to me that the error 
> is caused by the upload.parseRequest ( req ) returning 
> an empty List<FileItem> fileItems in the upload method. 
> I added a debug line to verify the contents of the request 
> and it is properly populated entering the upload method, 
> but it is consumed @ req.getParameter( "progressid" ). 
> I commented out the use of the progress bar and found 
> the request consumption moves to the context creation 
> @ m_engine.createContext( req, WikiContext.ATTACH ); 
> Once it is consumed there, there is nothing left for the 
> upload.parseRequest (req ) to read. 
> I realize that I consumed the request by reading it for the 
> debug message, but I only used it once per test run to 
> determine where it was consumed. In the following log 
> extract, that was at time 2015-11-25 14:05:41.892, 
> which was after the createContext and before the 
> upload.parseRequest. 
> I'm inexperienced with the doFilter mechanism, and I see 
> that it is part of the exception dump, and I don't know if 
> that is working or not, but since upload.parseRequest ( req ) 
> is returning an empty fileItems list, I suspect there is 
> something going on there. But I'm in over my head here. 
> This is the log extract, starting right after the container JAAS 
> has authorized the user. 
> ================= 
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG AttachmentServlet 168 - 
> UploadServlet initialized. Using /home/testwiki/storage//attach-tmp for 
> temporary storage. 
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.797 [http-bio-8080-exec-1] DEBUG WikiSession 851 - Custom 
> com.apache.wiki.WikiSession.isIPV4Address has been entered 
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.798 [http-bio-8080-exec-1] DEBUG WikiServletFilter 164 - 
> Executed security filters for user=AdminUser, path=/TestWiki/attach 
> 2015-11-25 14:05:41.799 [http-bio-8080-exec-1] DEBUG AttachmentServlet 437 - 
> AttachmentServlet doPost entered 
> 2015-11-25 14:05:41.799 [http-bio-8080-exec-1] DEBUG AttachmentServlet 490 - 
> AttachmentServlet upload entered 
> 2015-11-25 14:05:41.820 [http-bio-8080-exec-1] DEBUG AttachmentServlet 509 - 
> AttachmentServlet upload; starting try 
> 2015-11-25 14:05:41.887 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.888 [http-bio-8080-exec-1] DEBUG WikiContext 248 - 
> Creating WikiContext for session ID=8974D02E77F76467ACB66B0EAC09C4D7; 
> target=Main 
> 2015-11-25 14:05:41.892 [http-bio-8080-exec-1] DEBUG AttachmentServlet 515 - 
> AttachmentServlet upload; after wikiContext req= 
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 535 - 
> AttachmentServlet upload; fileItems.size()=0 
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 536 - 
> AttachmentServlet upload; before for loop 
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 579 - 
> AttachmentServlet upload; after for loop 
> 2015-11-25 14:05:41.903 [http-bio-8080-exec-1] DEBUG AttachmentServlet 583 - 
> AttachmentServlet upload; fileItems size was 0; doing redirect to errorPage 
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 640 - 
> AttachmentServlet upload; after multiple catch, in finally 
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 451 - 
> AttachmentServlet doPost catch doing redirect 
> 2015-11-25 14:05:41.904 [http-bio-8080-exec-1] DEBUG AttachmentServlet 454 - 
> AttachmentServlet doPost exiting 
> 2015-11-25 14:05:41.944 [http-bio-8080-exec-2] DEBUG WikiServletFilter 107 - 
> Using ByteArrayResponseWrapper 
> 2015-11-25 14:05:41.944 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG WikiSession 851 - Custom 
> com.apache.wiki.WikiSession.isIPV4Address has been entered 
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.945 [http-bio-8080-exec-2] DEBUG WikiServletFilter 164 - 
> Executed security filters for user=AdminUser, path=/TestWiki/Error.jsp 
> 2015-11-25 14:05:41.963 [http-bio-8080-exec-2] DEBUG SessionMonitor 117 - 
> Looking up WikiSession for session ID=8974D02E77F76467ACB66B0EAC09C4D7... 
> found it 
> 2015-11-25 14:05:41.965 [http-bio-8080-exec-2] DEBUG WikiContext 248 - 
> Creating WikiContext for session ID=8974D02E77F76467ACB66B0EAC09C4D7; 
> target=Error 
> 2015-11-25 14:05:41.966 [http-bio-8080-exec-2] DEBUG JSPWiki 125 - Error.jsp 
> exception is: 
> 2015-11-25 14:05:41.967 [http-bio-8080-exec-2] ERROR WikiTagBase 84 - 
> WikiTagBase pageContext IS NOT NULL 
> 2015-11-25 14:05:41.970 [http-bio-8080-exec-2] ERROR WikiTagBase 97 - Tag 
> failed 
> javax.servlet.jsp.JspException: WikiContext may not be NULL - serious 
> internal problem! 
> at org.apache.wiki.tags.WikiTagBase.doStartTag(WikiTagBase.java:90) 
> at 
> org.apache.jsp.Error_jsp._jspx_meth_wiki_005fMessages_005f0(Error_jsp.java:193)
>  
> at org.apache.jsp.Error_jsp._jspService(Error_jsp.java:138) 
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) 
> at 
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
>  
> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390) 
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334) 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) 
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>  
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>  
> at org.apache.wiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:177) 
> at org.apache.wiki.ui.WikiJSPFilter.doFilter(WikiJSPFilter.java:121) 
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>  
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>  
> at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>  
> at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>  
> at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
>  
> at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) 
> at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) 
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) 
> at 
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:341) 
> at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>  
> at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) 
> at 
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
>  
> at 
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>  
> at 
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
>  
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>  
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>  
> at java.lang.Thread.run(Thread.java:724) 
> 2015-11-25 14:05:41.973 [http-bio-8080-exec-2] ERROR WikiTagBase 116 - Tag 
> failed, check logs: WikiContext may not be NULL - serious internal problem! 
> javax.servlet.jsp.JspException: Tag failed, check logs: WikiContext may not 
> be NULL - serious internal problem! 
> at org.apache.wiki.tags.WikiTagBase.doStartTag(WikiTagBase.java:98) 
> at 
> org.apache.jsp.Error_jsp._jspx_meth_wiki_005fMessages_005f0(Error_jsp.java:193)
>  
> at org.apache.jsp.Error_jsp._jspService(Error_jsp.java:138) 
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) 
> at 
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
>  
> at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390) 
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334) 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) 
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>  
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>  
> at org.apache.wiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:177) 
> at org.apache.wiki.ui.WikiJSPFilter.doFilter(WikiJSPFilter.java:121) 
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
>  
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>  
> at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
>  
> at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
>  
> at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
>  
> at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) 
> at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) 
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) 
> at 
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:341) 
> at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>  
> at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) 
> at 
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
>  
> at 
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>  
> at 
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
>  
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>  
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>  
> at java.lang.Thread.run(Thread.java:724) 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (JSPWIKI-924) Attachments fail using JAAS SSO container authentication

Reply via email to