Re: Allow tag does not restrict access

Mon, 13 Apr 2009 12:49:20 -0700
I was just waiting to see if the problems that had cropped up were real or my deployment issues. I guess it could be launched. 

/Janne

On Apr 13, 2009, at 22:41 , Harry Metske wrote:


Well,

you can find it here :
http://www.ecyrd.com/~jalkanen/JSPWiki/2.8.2/JSPWiki-2.8.2-bin.zip


Actually, we don't have a link to this on our Download page,  
shouldn't it be

there ?

Harry

2009/4/10 Carlson, Eric R <[email protected]>


Andrew,


      I guess I'm confused - I'm running version 2.8.1, which I  
thought is
the same version that has been out there since release...  The  
download page
says it dates from 21-Nov-2008.   Are you referring to a different  
version,

version 3?

                                              Eric R. Carlson

[email protected]
                                                       (513)-387-7739


-----Original Message-----
From: Andrew Jaquith [mailto:[email protected]]
Sent: Friday, April 10, 2009 12:49 PM
To: [email protected]
Subject: Re: Allow tag does not restrict access

Eric -- you've provided me with enough information to try to verify
your issue. I'll try to do that over the next few days.


In the meantime, could you try the latest nightly build, and see if  
it

produces different results?

Regards, Andrew

On Fri, Apr 10, 2009 at 10:35 AM, Carlson, Eric R
<[email protected]> wrote:

I've been having the exact same problem, and haven't been making any

headway on it, so I've gone over the FAQ to see if I can find the  
cause.


First, I'm running JSPWiki 2.8.1.


I have two user-ids I can access.   One is defined as an  
administrator,

the second one isn't.  I was able to verify this by logging on to  
both of
them, going into 'My Prefs', and clicking on the 'Profile' tab.   
UserA shows
: Roles - All, Authenticated; Groups - None.   UserB shows : Roles  
- All,

Authenticated; Groups - Admin.



I am not currently able to run the SecurityConfig.jsp application  
(see my

other message), so I can't include the output here.


I have enabled the security log, and set the logging level to DEBUG.

While I see messages in the log each time I log in, I don't see any  
sort of
messages in the security when I access a new page.  I'm not sure if  
I should
expect to see such messages, but the FAQ says to check the security  
log, and

I don't see anything there, other than logon messages.



I've also cleared all cookies and temporary internet files, and  
still get

the same problem.


Here's what I have configured in jspwiki.policy :

--------------------------------

grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {

  permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
"*:*",

"view";

  permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",

"editPreferences";

  permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",

"editProfile"

  permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",

"login";

};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
};


grant principal com.ecyrd.jspwiki.auth.authorize.Role  
"Authenticated" {
  permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
"*:*",

"modify,rename";

  permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
"*:*",

"view";

  permission com.ecyrd.jspwiki.auth.permissions.GroupPermission

"*:<groupmember>", "edit";

  permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",

"createPages,createGroups";

};

grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
  permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
  permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};

-------------------------------

                                              Eric R. Carlson


[email protected]


-----Original Message-----
From: Harry Metske [mailto:[email protected]]
Sent: Friday, April 10, 2009 4:23 AM
To: [email protected]; [email protected]
Subject: Re: Allow tag does not restrict access

Since we get quite a few of these questions, I started a FAQ on
Authorization:

http://www.jspwiki.org/wiki/FAQAuthorization

feel free to add content........

Harry

2009/4/9 Bhavani <[email protected]>


HI,


We recently started implementing jspwiki. JAAS security is  
enabled and
everything works fine. But I am not able to control access to  
page edits
using the allow tag. Also everyone is able to edit the admin  
group. Even
people who are not members of the group can edit the group. So  
please

help

me with the following questions.


1. What am I missing that the allow tag is not working as it  
should be ?

2. Is there a way to control non-members from editing the groups?

-Bhavani








This e-mail message, including any attachments, is for the sole  
use of

the intended recipient(s) and may contain information that is  
confidential
and protected by law from unauthorized disclosure. Any unauthorized  
review,
use, disclosure or distribution is prohibited. If you are not the  
intended
recipient, please contact the sender by reply e-mail and destroy  
all copies

of the original message.





























					Reply via email to