Here is the web.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
version="2.4">
<description>
JSPWiki is an open source JSP-based WikiClone. It is licensed
under the Apache 2.0 license.
For more information, please come to http://www.jspwiki.org/
</description>
<display-name>JSPWiki</display-name>
<!-- Resource bundle default location -->
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>templates.default</param-value>
</context-param>
<!--
WikiServletFilter defines a servlet filter which filters all requests. It
was
introduced in JSPWiki 2.4.
In 2.7/2.8, the WikiServlet filter also performs an important security
function:
it sets authentication status based on container credentials. It should
generally
execute first. Note that if you configure a filter *before* this one that
returns
non-null values for getUserPrincipal() or getRemoteUser(),
WikiSecurityFilter
will pick the credentials up, and set the user's WikiSession state to
"authenticated." WikiServletFlter will also set the WikiSession's' state
to "authenticated" if jspwiki.properties property
"jspwiki.cookieAuthentication"
is set to true, and the user possesses the correct authentication cookie.
Lastly, if jspwiki.properties property "jspwiki.cookieAssertions" is set
to true,
WikiServletFilter will also set WikiSession state to "asserted" if the
user
possesses the correct "assertion cookie."
-->
<filter>
<filter-name>WikiServletFilter</filter-name>
<filter-class>com.ecyrd.jspwiki.ui.WikiServletFilter</filter-class>
</filter>
<filter>
<filter-name>WikiJSPFilter</filter-name>
<filter-class>com.ecyrd.jspwiki.ui.WikiJSPFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/attach/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/atom/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/dav/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/RPCU/</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/RPC2/</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiServletFilter</filter-name>
<url-pattern>/JSON-RPC</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiJSPFilter</filter-name>
<url-pattern>/wiki/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WikiJSPFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<!--
HttpSessionListener used for managing WikiSession's.
-->
<listener>
<listener-class>com.ecyrd.jspwiki.auth.SessionMonitor</listener-class>
</listener>
<!--
Now, let's define the XML-RPC interfaces. You probably don't have to
touch these.
First, we'll define the standard XML-RPC interface.
-->
<servlet>
<servlet-name>XMLRPC</servlet-name>
<servlet-class>com.ecyrd.jspwiki.xmlrpc.RPCServlet</servlet-class>
<init-param>
<param-name>handler</param-name>
<param-value>com.ecyrd.jspwiki.xmlrpc.RPCHandler</param-value>
</init-param>
<init-param>
<param-name>prefix</param-name>
<param-value>wiki</param-value>
</init-param>
</servlet>
<!--
OK, this then defines that our UTF-8 -capable server.
-->
<servlet>
<servlet-name>XMLRPC-UTF8</servlet-name>
<servlet-class>com.ecyrd.jspwiki.xmlrpc.RPCServlet</servlet-class>
<init-param>
<param-name>handler</param-name>
<param-value>com.ecyrd.jspwiki.xmlrpc.RPCHandlerUTF8</param-value>
</init-param>
<init-param>
<param-name>prefix</param-name>
<param-value>wiki</param-value>
</init-param>
</servlet>
<!-- JSON AJAX API -->
<servlet>
<servlet-name>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-name>
<servlet-class>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-class>
</servlet>
<!-- Atom Publishing Protocol -->
<servlet>
<servlet-name>ATOM</servlet-name>
<servlet-class>com.ecyrd.jspwiki.rpc.atom.AtomAPIServlet</servlet-class>
</servlet>
<!-- Maps short URLS to JSPs; also, detects webapp shutdown. -->
<servlet>
<servlet-name>WikiServlet</servlet-name>
<servlet-class>com.ecyrd.jspwiki.WikiServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>DAVServlet</servlet-name>
<servlet-class>com.ecyrd.jspwiki.dav.WikiDavServlet</servlet-class>
</servlet>
<!--
Attachment exchange handler.
-->
<servlet>
<servlet-name>AttachmentServlet</servlet-name>
<servlet-class>com.ecyrd.jspwiki.attachment.AttachmentServlet</servlet-class>
</servlet>
<!-- PLACEHOLDER FOR PRE-COMPILED JSP SERVLETS -->
<!--
And finally, let us tell the servlet container which
URLs should correspond to which XML RPC servlet.
-->
<!-- By default, this is disabled. If you want to enabled it,
just uncomment the whole section. -->
<!-- REMOVE ME TO ENABLE XML-RPC
<servlet-mapping>
<servlet-name>XMLRPC</servlet-name>
<url-pattern>/RPC2/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>XMLRPC-UTF8</servlet-name>
<url-pattern>/RPCU/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ATOM</servlet-name>
<url-pattern>/atom/*</url-pattern>
</servlet-mapping>
AND REMOVE ME TOO -->
<servlet-mapping>
<servlet-name>AttachmentServlet</servlet-name>
<url-pattern>/attach/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WikiServlet</servlet-name>
<url-pattern>/wiki/*</url-pattern>
</servlet-mapping>
<!-- Remove to enable WebDav. EXPERIMENTAL FEATURE!
<servlet-mapping>
<servlet-name>DAVServlet</servlet-name>
<url-pattern>/dav/*</url-pattern>
</servlet-mapping>
-->
<servlet-mapping>
<servlet-name>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-name>
<url-pattern>/JSON-RPC</url-pattern>
</servlet-mapping>
<!-- This means that we don't have to use redirection
from index.html anymore. Yay! -->
<welcome-file-list>
<welcome-file>Wiki.jsp</welcome-file>
</welcome-file-list>
<!-- Error pages -->
<error-page>
<error-code>403</error-code>
<location>/error/Forbidden.html</location>
</error-page>
<!-- REMOVE ME TO ENABLE JDBC DATABASE
<resource-ref>
<description>
Resource reference to JNDI factory for the JDBCUserDatabase.
</description>
<res-ref-name>
jdbc/UserDatabase
</res-ref-name>
<res-type>
javax.sql.DataSource
</res-type>
<res-auth>
Container
</res-auth>
</resource-ref>
<resource-ref>
<description>
Resource reference to JNDI factory for the JDBCGroupDatabase.
</description>
<res-ref-name>
jdbc/GroupDatabase
</res-ref-name>
<res-type>
javax.sql.DataSource
</res-type>
<res-auth>
Container
</res-auth>
</resource-ref>
REMOVE ME TO ENABLE JDBC DATABASE -->
<!-- REMOVE ME TO ENABLE JAVAMAIL
<resource-ref>
<description>Resource reference to a container-managed JNDI JavaMail
factory for sending e-mails.</description>
<res-ref-name>mail/Session</res-ref-name>
<res-type>javax.mail.Session</res-type>
<res-auth>Container</res-auth>
</resource-ref>
REMOVE ME TO ENABLE JAVAMAIL -->
<!--
CONTAINER-MANAGED AUTHENTICATION & AUTHORIZATION
Here we define the users which are allowed to access JSPWiki.
These restrictions cause the web container to apply further
contraints to the default security policy in jspwiki.policy,
and should be suitable for a corporate intranet or public wiki.
In particular, the restrictions below allow all users to
read documents, but only Authenticated users can comment
on or edit them (i.e., access the Edit.jsp page).
Users with the role Admin are the only persons who can
delete pages.
To implement this policy, the container enforces two web
resource constraints: one for the Administrator resources,
and one for Authenticated users. Note that the "role-name"
values are significant and should match the role names
retrieved by your web container's security realm. The roles
of "Admin" and "Authenticated" are assigned by the web
container at login time.
For example, if you are using Tomcat's built-in "memory realm",
you should edit the $CATALINA_HOME/conf/tomcat-users.xml file
and add the desired actual user accounts. Each user must possess
one or both of the Admin or Authenticated roles. For other realm
types, consult your web container's documentation.
Alternatively, you could also replace all references to
"Authenticated" and "Admin" with role names that match those
returned by your container's security realm. We don't care
either way, as long as they match.
Note that accessing protected resources will cause your
container to try to use SSL (default port for Tomcat is 8443)
to secure the web session. This, of course, assumes your
web container (or web server) is configured with SSL support.
If you do not wish to use SSL, remove the "user-data-constraint"
elements.
-->
<!-- REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<url-pattern>/Comment.jsp</url-pattern>
<url-pattern>/Login.jsp</url-pattern>
<url-pattern>/NewGroup.jsp</url-pattern>
<url-pattern>/Rename.jsp</url-pattern>
<url-pattern>/Upload.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Read-only Area</web-resource-name>
<url-pattern>/attach</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Authenticated</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.jsp</form-login-page>
<form-error-page>/LoginForm.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
This logical role includes all authenticated users
</description>
<role-name>Authenticated</role-name>
</security-role>
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>Admin</role-name>
</security-role>
REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH -->
</web-app>
David Clemmons
________________________________
From: Harry Metske <[email protected]>
To: [email protected]
Sent: Sat, April 24, 2010 10:28:42 AM
Subject: Re: ACL problem
David,
your jspwiki.policy looks fine.
I cannot reproduce your problem, when you access the protected page
anonymously you should get a message like
*User 0:0:0:0:0:0:0:1 has no access - redirecting
(permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission","JSPWiki:Testpage","view"))
*
Have you made changes to web.xml and/or jspwiki.properties that might affect
this behaviour ?
Can you reproduce it on http://sandbox.jspwiki.org ?
regards,
Harry
2010/4/24 David Clemmons <[email protected]>
> Harry,
> FYI, I have the same problem on Tomcat running on Ubuntu.
>
> David Clemmons
>
>
>
>
> ________________________________
> From: Harry Metske <[email protected]>
> To: [email protected]
> Sent: Thu, April 22, 2010 3:58:57 AM
> Subject: Re: ACL problem
>
> David,
>
> the list does not accept attachments, can you put them inline, or put them
> somewhere on a public host ?
>
>
> regards,
> Harry
>
> 2010/4/22 David Clemmons <[email protected]>
>
> > Attached is the policy and log file.
> > Thank You,
> > David Clemmons
> >
> >
> > ------------------------------
> > *From:* Harry Metske <[email protected]>
> > *To:* [email protected]
> > *Sent:* Wed, April 21, 2010 11:52:42 AM
> > *Subject:* Re: ACL problem
> >
> > David,
> >
> > can you share your jspwiki.policy file and the logfiles with us ?
> > Your problem description is not enough for us to help you.
> >
> > regards,
> > Harry
> >
> > 2010/4/19 David Clemmons <[email protected]>
> >
> > > I have installed JSPWIKI 2.83 on Websphere but I cannot get ACL to
> > > work. For instance, I have a page with [{ALLOW view DavidClemmons}]
> but
> > > anonymous users can still view this.
> > >
> > >
> > > David Clemmons
> > >
> >
>
