Hello Foster, yes that seems tob e what I'm looking for. So does it work already with JSPWiki 2.8?
If not I'll have a look at it and see if I could adapt it to the newest version of JSPWiki. -- Christian Rösch http://www.icongmbh.de Application Development icon Systemhaus GmbH Tel. +49(711)806098-0 Sophienstraße 40 70178 Stuttgart Fax. +49(711)806098-299 Geschäftsführer: Uwe Seltmann HRB Stuttgart 17655 USt-IdNr.: DE 811944121 +++++++++++++++++++++++++++++++++++++++++ icon Events: www.icongmbh.de/events.html +++++++++++++++++++++++++++++++++++++++++ -----Ursprüngliche Nachricht----- Von: Foster Schucker [mailto:[email protected]] Gesendet: Dienstag, 3. Juli 2012 13:09 An: [email protected] Betreff: Re: How to hide content for some users I had written a plugin that would allow partial page displays to be shown, I think this is what you are looking for. If it is, let me know and I'll mail you the code. Its for a very old version of JSPWiki, when the base went off on a different direction for page auth it was too hard to fit into the new scheme. Foster -------- AuthPlugin The purpose of the Auth Plugin is to allow page level security for 2.0.x JSPWiki. It is an Authorization plugin, it uses Container Managed Security <http://localhost:8080/schucker/Wiki.jsp?page=ContainerManagedSecurity> to perform the Authentication (and to help control access to some of the JSP files) (Also see Auth Plugin Detail <http://localhost:8080/schucker/Wiki.jsp?page=AuthPluginDetail>) (The Auth Test <http://localhost:8080/schucker/Wiki.jsp?page=AuthTest> page has some samples) [{Auth allow='admin' deny='Janne' edit='editor'}] Parameters *allow* (optional)[1] <http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-1> a list of user names and/or roles that have access to this page[1] <http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-1>. *deny* (optional) a list of user names and/or roles that should be denied access to this page *edit* (optional) a list of user names and/or roles that have edit access to this page In the example given, everyone in the admin group has access, except for Janne and those people that have the 'editor' role can edit this page. ------------------------------------------------------------------------ How to use it There are two different ways to use Auth. First is to control the viewing of a block of text inside of a page: Everyone will see this text [{Auth allow='editor' Only those people with ''editor'' roles will see this text }] This text will also be seen by everyone. Only the text inside the body of the Auth plugin is controlled. The plugin can be used any number of times on a page. (Plugins can be nested, so you can do: Everyone will see this text [{Auth allow='editor' Only those people with ''editor'' roles will see this text [{Auth allow='admin' Only those people with ''editor'' and ''admin'' roles will see this text }] Only ''editors'' will see this line }] This text will also be seen by everyone. (A common error is not having the blank line after the Auth plugin and not having matched plugin closes) The second way is to control access to the entire page. [{Auth allow='ATeam' deny='BA' edit='ATeam'}] Plane trip for next week is on, I love it when a plan comes together! Everyone on the ATeam except for BA can see this page, and all of the ATeam can edit this page. ------------------------------------------------------------------------ How it works Auth Plugin -- Simply it takes the parameters passed and looks in the user and role list to see if they match[2] <http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-2>: if (checkthisguy.isEqualIgnoreCase(request.getRemoteUser()) {..} if (req.isUserInRole(checkthisguy)) {..} If there is not a match for the allow a AssertionError("Not allowed to see this page") is thrown. This error is caught by the upper most layer of the container, and it will produce an error page with this message on it. (Tested with Resin and Weblogic, your container may or may not work) If the user is allowed to view the page then an entry is also made in the session variable *pageview*. A similar entry is made in *pageedit* if they can edit the page. In most cases the user will not be able to click on the /Edit this page/ link since if they can's see the page, they are looking at an error page that does not have a link on it. While */Security through Obscurity/* works for some, some users may elect to put the entire URL in by hand. To protect against this you will need to edit your Edit.jsp file to check and see if they are allowed to edit this file. And while you are at it, you should also change the Diff.jsp and PageInfo.jsp files. Finally, things like Recent Changes will still find the /hidden/ pages for a user. This means that they will know there is a page called *TopSecretPlans* even though they can't view it. If this is a concern to you, you can do one of two things: 1. Call your /hidden/ pages something like *Hidden_TopSecretPlans* and change your Recent Changes to ignore files that start with Hidden_. 2. Use the new 2.1 Wiki with the full featured Authorization And Authentication. ------------------------------------------------------------------------ Disclaimer This is how I do it, you may not get it to work without some (high) level of effort on your part. I can try to help you, but plan to spend some time, this is not just a plugin you can drop in and use -- FosterSchucker <http://localhost:8080/schucker/Wiki.jsp?page=FosterSchucker> ------------------------------------------------------------------------ 3 August 2004 I've uploaded a new version that fixes a bug if there are many roles in the list. I've also made it a static method and move all of the null checking,wildcards,etc. into the method *userInList*. This allows Auth to be safely called from other places (like tags, pages, etc.) I've uploaded the source to the Auth plugin and the source for AuthTag, if you want a compiled version (jar file) let me know. New exposed method public static boolean userInList(HttpServletRequest request, String accesslist, String username) sample call if (Auth.userInList(request,"editor,admin,superuser",null) { ... } Will check to see if this user is in any of those roles. TLD for AuthTag <tag> <name>Auth</name> <tagclass>com.ecyrd.jspwiki.tags.AuthTag</tagclass> <bodycontent>JSP</bodycontent> <attribute> <name>allow</name> <required>false</required> </attribute> <attribute> <name>deny</name> <required>false</required> </attribute> </tag> ------------------------------------------------------------------------ [#1]The default in the code is to deny access to a page by default. While the allow parameter is not /required/ it's a good idea to have it in there, you can make a page that no user can see. [#2]The site Administrator is still responsible for putting the user, password and role(s) into the system. Category Third Party Plugin <http://localhost:8080/schucker/Wiki.jsp?page=CategoryThirdPartyPlugin>
