Jonathan, I did some tests and determined that the cause of the problem is probably on your end. Here's the deal:
- Container-managed authentication and authorization works by protecting a set of resources with auth-constraints - Each auth-constraint lists one or more roles that are allowed to access those resources. Now here's the important point: these are CONTAINER roles, not JSPWiki roles. - The default auth-constraint that protects Login.jsp (and thus triggers authentication) is protected by a sample container role called Authenticated. This is NOT the same as the JSPWiki role called Authenticated. - Thus, if your container is not configured to return any roles, the container will NOT let you access Login.jsp and returns a 403 (Forbidden), which directs you to Forbidden.html. This is exactly how the container is supposed to behave when a user is "unauthorized", which you are if you don't possess any container roles. - However, even though you did not receive the proper container role to access Login.jsp, your session is STILL authenticated, and as such your HttpServletRequest possesses a UserPrincipal. JSPWiki sniffs this principal during the next request and says, "Aha! The user is container-authenticated" and prints out the G'day (authenticated) message. Got it? Essentially, the container authenticates you, and JSPWiki figures that out. In between those two events, the fact that the user doesn't possess any container roles is what produces the 403. The fix is simple. Just make sure that the role named in the auth-constraint is the same as one returned by your container. In our default web.xml, we assume that this role is called "Authenticated." If your default container role is different (for example, "person"), make sure the one in web.xml matches that role name. I don't know what the root cause of your cookie authentication issue is. I could not reproduce it. Andrew On Wed, Jul 15, 2009 at 5:30 PM, jonathan<[email protected]> wrote: > heya too! > > The wiki page on container auth has been very, very helpful, yes. Upon > further investigation, I think my issues are currently more role-related > than UserDatabase related. > > Container has been set up to authenticate to ldap, no roles have been > configured, web.xml is default container-managed config. As soon as I log > in, I end up getting a forbidden page (on Login.jsp?redirect=Main). If I > click "Better luck next time", I end up back on the main page, > "authenticated" (much like this problem: > http://www.mail-archive.com/[email protected]/msg01892.html > - except I'm using Tomcat 5.5.15). > > If I look at my security log, I get the following entries only *after* I > click the "Better luck..." link on the Forbidden page: > > 2009-07-15 17:11:07,547 INFO - WikiSecurityEvent.LOGIN_AUTHENTICATED > [source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245, > princpal=org.apache.catalina.realm.GenericPrincipal jengbrec, > target=com.ecyrd.jspwiki.wikisess...@1f55105] > 2009-07-15 17:11:07,547 DEBUG - WikiSecurityEvent.LOGIN_AUTHENTICATED > [source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245, > princpal=org.apache.catalina.realm.GenericPrincipal jengbrec, > target=com.ecyrd.jspwiki.wikisess...@1f55105] > 2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD > [source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245, > princpal=org.apache.catalina.realm.GenericPrincipal jengbrec, > target=com.ecyrd.jspwiki.wikisess...@1f55105] > 2009-07-15 17:11:07,548 DEBUG - WikiSecurityEvent.PRINCIPAL_ADD > [source=com.ecyrd.jspwiki.auth.authenticationmana...@e4245, > princpal=com.ecyrd.jspwiki.auth.authorize.Role Authenticated, > target=com.ecyrd.jspwiki.wikisess...@1f55105] > > > It looks like I now should have the "Authenticated" role from the container > (though I don't seem to have it (according to the log, anyway) immediately > after clicking "login" which is strange). However, I still get "Forbidden" > if I try and go to Edit.jsp or similar (the "Authenticated area" in > web.xml). > > After the initial "Forbidden", my wiki acls seem to work properly, but the > container-given Role ("Authenticated") doesn't seem to be working, even > though the logs appear to indicate that the role has been assigned. > > Thoughts on where to go from here? > > as always, many thanks, > jonathan. > > > Janne Jalkanen wrote: >> >> Heya! >> >> Does this help? >> >> http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP >> >> /Janne >> >> On 14 Jul 2009, at 21:37, jonathan wrote: >> >>> Has anyone successfully done this? >>> >>> In 2.4 I'm using Kaukolu LDAPUserDatabase implementation to get user >>> data, so I have no local userdatabse.xml file to fall back on. The existing >>> LDAPUserDatabase doesn't work with 2.8, of course. >>> >>> If you've done this, how are you handling the userdatabase portion under >>> 2.8? We have a very large ldap database, but a relatively small number of >>> JSPWiki users, so migrating the ldap info into an xml (or even mysql) >>> userdatabase seems a bit like overkill (though this may be the simplest >>> route to take given my relative inability to recode the LDAPUserDatabase >>> stuff). >>> >>> Any thoughts appreciated. >> >> >
