At line 7 changed one line |
|[Bug status]|NewBug |
|[Bug status]|ClosedBug |
At line 34 added 93 lines |
|
|
---- |
|
Andrew; |
|
Thanks for the reply and keep up the great work. I will keep an eye open for updates regarding use of a [Security Manager]. |
|
Charlie. |
|
|
--AnonymousCoward, 16-Mar-2007 |
|
---- |
Assuming fixed, there have been various fixes against PageRenamer. |
---- |
Negative. I've configured a 2.6.0 installation on JBoss with DB2. I'm using container managed security and I can verify that the security policies still aren't being applied properly. |
\\ |
It appears that a user that has both Authenticated and Admin will be granted the all permissions by Admin. However these all permissions are being overridden by the deny of permissions to Authenticated. |
\\ |
!Work Around |
There is a work around to all this. Since the policy is incompletely applied, reset the policy to 'clear' and just use a pure container managed security model: |
\\ |
Here is my policy:\\ |
{{{ |
grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" { |
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*"; |
}; |
}}} |
|
And here is my web.xml:\\ |
{{{ |
<security-constraint> |
<web-resource-collection> |
<web-resource-name>Administrative Area</web-resource-name> |
<url-pattern>/NewGroup.jsp</url-pattern> |
<url-pattern>/Delete.jsp</url-pattern> |
</web-resource-collection> |
<auth-constraint> |
<role-name>Admin</role-name> |
</auth-constraint> |
<!-- |
<user-data-constraint> |
<transport-guarantee>CONFIDENTIAL</transport-guarantee> |
</user-data-constraint> |
--> |
</security-constraint> |
|
<security-constraint> |
<web-resource-collection> |
<web-resource-name>Authenticated area</web-resource-name> |
<url-pattern>/Edit.jsp</url-pattern> |
<url-pattern>/Comment.jsp</url-pattern> |
<url-pattern>/Login.jsp</url-pattern> |
<url-pattern>/Rename.jsp</url-pattern> |
<url-pattern>/Upload.jsp</url-pattern> |
<http-method>DELETE</http-method> |
<http-method>GET</http-method> |
<http-method>HEAD</http-method> |
<http-method>POST</http-method> |
<http-method>PUT</http-method> |
</web-resource-collection> |
|
<web-resource-collection> |
<web-resource-name>Read-only Area</web-resource-name> |
<url-pattern>/attach</url-pattern> |
<http-method>DELETE</http-method> |
<http-method>POST</http-method> |
<http-method>PUT</http-method> |
</web-resource-collection> |
|
<auth-constraint> |
<role-name>Admin</role-name> |
<role-name>Authenticated</role-name> |
</auth-constraint> |
|
<!-- |
<user-data-constraint> |
<transport-guarantee>CONFIDENTIAL</transport-guarantee> |
</user-data-constraint> |
--> |
</security-constraint> |
}}} |
|
\\ |
--[Louis], 2008-03-13 |
|
---- |
|
If there is a new bug, please file it at the [issue tracker|https://issues.apache.org/jira/browse/JSPWIKI]. These bugs are considered fixed and new information is largely ignored. |
|
---- |
Note that this issue has been added to the bug tracker, [here|https://issues.apache.org/jira/browse/JSPWIKI-129]. |