Hi,
may be I'll be the only mad-boy who wants ("have to") run JSPWiki on
IBM WebSphere using custom authentication. In any case here is what I
discovered.
In the class org.apache.wiki.auth.AuthorizationManager there is a
routine called checkStaticPermission
and
in the class org.apache.wiki.auth.SecurityVerifier there is a routine
called verifyStaticPermission.
In both them there is a check (inside a try .. catch block)) for
JVM-wide security policy and, if it fails (catch an exception), a test
on local policy.
The problematic code is
"AccessController.checkPermission( permission );"
where "permission" is a parameter to the routine (final Permission
permission).
In the websphere instances I could test (6.1 without security & 7.0
with security) the code "AccessController.checkPermission( permission
);" never throws exception so the routine always "return Boolean.TRUE"
and local policies are never tested. The result is that everybody can
do anything (edit, rename, delete, ..). Putting a nice "//" in front
of the "return Boolean.TRUE" makes the magical change and JSPWiki
works as desired (only authenticathed users can make changes)
May be there is some kind of configuration to apply to websphere but
I'ave not found it.
So I ask for a patch in the code (guided by a configuration parameter)
to skip JVM-wide security policy and go directly to local ones;
something like
if (configuratedForJVMSecurity) {
... try... catch block
}
I'm new to "team programming" so this is an "ask for" but if someone
tell me how to change the code (how to spread the patch I've done on
my JSPWiki sources) I'll do it (happy to be allowed to do something
world wide usefull :-))
Have nice days,
Roberto
--
Messaggio inviato da WebMail - http://www.mercurio.it
-------------------------------------------------------
