Edit.jsp Ok only for the LDAP group and not for the authenticate User. "local user database" and "Container-Managed Authentification"

Lannaud, Eric Tue, 07 Feb 2012 06:28:44 -0800

Hi,


My config : JSPWiki v2.8.4 Ubuntu 10.04 tomcat6  6.0.24-2, sun-java6-jdk
1.6.0_26-b03  ActiveDirectory LDAP.

 

I use an custom authentication (Container-Managed Authentication) via
AD. It runs well. 

 

I create a AD group for a specific role. Any user in this AD group can
rename, edit,..

 

The AD users who are authentificated and are not in the AD group cannot
edit the page.

 

Jspwiki.policy bellow doesn't work "grant principal
com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {" see the entire
file bellow

 

I read on the mailing list archive than there are an "overlap" between
"local user database" and "Container-Managed Authentification".

 

I don't find the solution. 

 

Below my web.xml, jspwiki.policy

-------------------------------------   

Web.xml    (AD group cname is "eri_wiki"

-------------------------------------   

   <security-constraint>

       <web-resource-collection>

           <web-resource-name>Administrative Area</web-resource-name>

           <url-pattern>/Delete.jsp</url-pattern>

       </web-resource-collection>

       <auth-constraint>

           <role-name>eri_wiki</role-name>

           <role-name>Admin</role-name>

       </auth-constraint>

<!--

       <auth-constraint>

           <role-name>Admin</role-name>

       </auth-constraint>

-->

       <user-data-constraint>

           <transport-guarantee>NONE</transport-guarantee>

       </user-data-constraint>

   </security-constraint>

 

   <security-constraint>

       <web-resource-collection>

           <web-resource-name>Authenticated area</web-resource-name>

           <url-pattern>/Edit.jsp</url-pattern>

           <url-pattern>/Comment.jsp</url-pattern>

           <url-pattern>/Login.jsp</url-pattern>

           <url-pattern>/NewGroup.jsp</url-pattern>

           <url-pattern>/Rename.jsp</url-pattern>

           <url-pattern>/Upload.jsp</url-pattern>

           <http-method>DELETE</http-method>

           <http-method>GET</http-method>

           <http-method>HEAD</http-method>

           <http-method>POST</http-method>

           <http-method>PUT</http-method>

       </web-resource-collection>

 

       <web-resource-collection>

           <web-resource-name>Read-only Area</web-resource-name>

           <url-pattern>/attach</url-pattern>

           <http-method>DELETE</http-method>

           <http-method>POST</http-method>

           <http-method>PUT</http-method>

       </web-resource-collection>

 

       <auth-constraint>

           <role-name>Admin</role-name>

           <role-name>eri_wiki</role-name>

       </auth-constraint>

 

   </security-constraint>

 

   <login-config>

       <auth-method>FORM</auth-method>

       <form-login-config>

           <form-login-page>/LoginForm.jsp</form-login-page>

           <form-error-page>/LoginForm.jsp</form-error-page>

       </form-login-config>

   </login-config>

 

   <security-role>

       <description>

           This logical role includes all authenticated users

       </description>

       <role-name>Authenticated</role-name>

   </security-role>

 

   <security-role>

       <description>

           This logical role includes all administrative users

       </description>

       <role-name>Admin</role-name>

   </security-role>

   <security-role>

       <description>

           This logical role includes all eri wiki  users

       </description>

       <role-name>eri_wiki</role-name>

   </security-role>

-----------------------------------------------------------   

 

Jspwiki.policy

-----------------------------------------------------------   

grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";

    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";

    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";

    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";

};

 

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify";

    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages";

};

 

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify";

    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages";

    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"view";

};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";

    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"view";

    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"edit";

    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";

};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {

    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";

};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "eri_wiki" {

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";

    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"view";

    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*",
"edit";

    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";

};

 

 

Thanks

Eric

Edit.jsp Ok only for the LDAP group and not for the authenticate User. "local user database" and "Container-Managed Authentification"

Reply via email to