I'll give you the pertinent URLs:
The site: http://ocpolitizone.org/
The logo: http://ocpolitizone.org/attach/LeftMenu/ocpolitizone.png
Besides the jspwiki.policy file, is there any other configuration file,
like jspwiki-custom.properties, that might make a difference?
Thanks,
Gary
On 12/8/2020 9:31 AM, Juan Pablo Santos Rodríguez wrote:
Hi Gary,
that's weird, before writting previous e-mail I double checked the
suggested approach using the following unit test
@Test
public void testAttachmentAcl() throws Exception {
m_engine.saveText( "TestDefaultPage", "Foo" );
final Attachment att = Wiki.contents().attachment( m_engine,
"TestDefaultPage", "TestAtt.txt" );
att.setAuthor( "FirstPost" );
m_engine.getManager( AttachmentManager.class ).storeAttachment(
att, m_engine.makeAttachmentFile() );
final Permission view = PermissionFactory.getPagePermission(
"*:TestDefaultPage/TestAtt.txt", "view" );
final Permission edit = PermissionFactory.getPagePermission(
"*:TestDefaultPage/TestAtt.txt", "edit" );
final Session session = WikiSessionTest.anonymousSession( m_engine );
Assertions.assertTrue( m_auth.checkPermission( session, view ),
"anonymous view" );
Assertions.assertTrue( m_auth.checkPermission( session, edit ),
"anonymous edit" );
}
and it passes for each of the following permissions on the policy file
grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
//permission org.apache.wiki.auth.permissions.PagePermission "*:*", "edit";
//permission org.apache.wiki.auth.permissions.PagePermission
"*:TestDefaultPage", "edit";
permission org.apache.wiki.auth.permissions.PagePermission
"*:TestDefaultPage/TestAtt.txt", "edit";
};
(same for view permissions on the policy file except for the test's last
assertion) Said that, I misunderstood your original e-mail, I was thinking
that anonymous
users weren't allowed to see (not edit) the wiki. Your policy file should
be enough to allow http://mysite.org/attach/LeftMenu/mylogo.png for
anonymous
users. Does the log show something unsual while accessing/requesting that
file? Would you mind setting the log level to debug to see if anything else
pops up?
I'm preparing the release for 2.11.0-M8 in a while, but will have a closer
look at this after that.
best regards,
juan pablo
On Tue, Dec 8, 2020 at 1:23 AM Gary Kephart <gary_keph...@pobox.com> wrote:
Juan Pablo,
Thanks for responding. I tried your suggestion but it's still not
working. Below is my complete jspwiki.policy.
Thanks,
Gary
grant principal org.apache.wiki.auth.authorize.Role "All" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view";
permission org.apache.wiki.auth.permissions.PagePermission
"*:LeftMenu/mylogo.png", "view";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"editProfile";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"login";
};
// read-only for Anonymous users
grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view";
};
// read-only for Asserted users
grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
} permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view";
;
// read-only for Authenticated users
grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"view";
};
// Members of the group "RegisteredUsers" can create, edit and rename
pages.
// They can also view all the groups.
grant principal org.apache.wiki.auth.GroupPrincipal "RegisteredUsers" {
permission org.apache.wiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
"view";
permission org.apache.wiki.auth.permissions.GroupPermission
"*:<groupmember>", "edit";
permission org.apache.wiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
};
grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
permission org.apache.wiki.auth.permissions.AllPermission "*";
};
grant principal org.apache.wiki.auth.authorize.Role "Admin" {
permission org.apache.wiki.auth.permissions.AllPermission "*";
};
On 12/7/2020 6:00 AM, Juan Pablo Santos Rodríguez wrote:
Hi Gary,
inside JSPWiki, Attachments are considered a special type of Pages, so
the
same policy rules & syntax should apply. In this case, the following
permission inside the anonymous role block should be enough:
permission org.apache.wiki.auth.permissions.PagePermission
"*:LeftMenu/mylogo.png", "view";
Also, LeftMenu usually is a page that should be shown to all users, so
the
following permission, also inside the anonymous role block, should also
do
the trick and allow anonymous view on both Page and Attachment:
permission org.apache.wiki.auth.permissions.PagePermission "*:LeftMenu",
"view";
HTH,
juan pablo
On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <gary_keph...@pobox.com>
wrote:
I have a site that I've set up as read-only except for users who are in
a particular group. For the most part, that works well. What doesn't
seem to work is showing the site logo to users who are not logged in.
When I try to directly access
http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get the
Forbidden page, where it mentions "It is also possible that JSPWiki
cannot find its security policy, or that the policy is not configured
correctly. Either of these cases would cause JSPWiki to block access,
too."
Is attachment policy different than page policy? Do you have to be able
to modify a page in order to view an attachment? What do I need to do to
fix this? I've read
https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
don't see anything there that addresses this specifically.
Thanks,
Gary
