I have just upgraded our internal wiki to 2.6.1-cvs-7 and am puzzled by
something.
I'm using container based authentication (under jBoss). I have set this
up to use both ldap and jdbc to authenticate users. LDAP holds the
internal users, and the database holds the external users. The initial
role I gave the external users was "WikiUser". This role is in turn
specified in both web.xml and the jspwiki.policy file, and is supposed
to give read-only access to the wiki. In contrast, the "Authenticated"
role is allowed read-write access and is used by the internal users.
What I have found though is that the system behaves as if every user who
has authenticated successfully is implicitly a member of role
'Authenticated' even though the users had not been explicitly given
this role. I was able to confirm this by switching things around, so
that the Authenticated role only gave them view privileges, and to get
read/write access required being a member of role 'WikiEditor', which
had its own rights granted in the policy file.
Is this intentional? i.e. Changing the standard role names in the
policy file to something else doesn't necessarily work correctly.
Also, I assume that privileges are additive, in that if you are a member
of some extra role, you will get whatever rights are granted by that
role in the policy file in addition to whatever rights are granted by
the Authenticated role?
Thanks,
Milt.
- Is the Authenticated role name "hard wired?" Milton Taylor
-
