I get similarly weird behaviour but not exactly identical. My strangest
effects are that I can't log out. If I log out, then just browse back I'm
logged back in. I also can't log in cleanly as I always get the "you can't
do that" page, but then I'm logged in. I can't get to the JSPWiki log in
page at all, just the realm basic dialogue. If I ever try to cancel a
login dialogue I just get a Server 500 error that never goes away until I
close the browser.
I think that Access Control List x JSPWiki security x Container security x
individual JSP page granularity is just too complicated, both to manage or
debug. There probably aren't enough deployments to identify /document
/debug all possible use cases. I'm not sure what the answer might be other
than an authorisation mechanism rethink. I suspect that the ratio of
installations to security complexity is such that most people have some
sort of problem.
Prayer: Please God, don't add MySql support as that will just make it a
total nightmare with it's dumb ass port /socket & location based
authorisation model on top of the wiki's.
On Saturday, 20 February 2016, Dave Koelmeyer <
dave.koelme...@davekoelmeyer.co.nz> wrote:
> Hi All,
>
> I've stumbled across some rather interesting behaviour which I'd like to
> know if someone else can replicate, and, if this is expected with my setup.
>
> I'm running JSPWiki v2.10.2-svn-38 with container-managed
> authentication, with user accounts provisioned using a file-based
> security realm in Payara Server 4.1. My JSPWiki policy file has been
> deliberately locked down such that only authenticated users can view
> content.
>
> The userdatabase.xml file contains the following only, as one would expect:
>
>
>
> wikiName="Administrator" fullName="Administrator" email=""
> password="{SSHA}somepassword" created="2016.02.20 at 23:11:59:610 NZDT"
> lastModified="2016.02.20 at 23:11:59:610 NZDT" lockExpiry="" >
>
>
>
> To test the installation is secure a user performs the following:
>
> 1. Navigate to the JSPWiki login screen
> 2. Click on ["Don't have account?"] "Join JSPWiki now!
> 3. On the "Register a new user!" page, enter a random Name and email
> address, and click "Create a new user profile". The account cannot
> be created.
>
>
> Now, leaving this browser tab as-is, open a second browser tab.
> Authenticate to JSPWiki as an authorised user. Next, switch back to the
> original tab. Repeat step 3 above. The session logs you in. Under "User
> Preferences -> Profile" for the logged-in user, the "Name" and "Email
> address" values have changed to what was set in step 3 above. The "Login
> name" however is still the account derived from the Payara security realm.
>
> Now, if one inspects the userdatabase.xml file, a new entry *has* been
> created. In the following example "derekz" is set in the file-based
> security realm, whereas "Alex" is the name set when registering the new
> user account directly:
>
> fullName="Alex" email="a...@example.com " password=""
> created="2016.02.2
> 0 at 23:28:59:268 NZDT" lastModified="2016.02.20 at 23:28:59:268 NZDT"
> lockExpiry="" >
>
>
>
> So what gives? Something tells me this perhaps shouldn't be working
> quite like this, even with the unlikely scenario of attempting to
> register a new user when the same authorised user is already authenticated.
>
> Cheers,
> Dave
>
> --
> Dave Koelmeyer
> http://blog.davekoelmeyer.co.nz
> GPG Key ID: 0x238BFF87
>
>
