Add new attachment

Only authorized users are allowed to upload new attachments.

This page (revision-13) was last changed on 26-Sep-2006 08:42 by null  

This page was created on 23-Mar-2004 17:39 by FosterSchucker

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 13 changed 7 lines
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
At line 21 changed 12 lines
<auth-constraint>
<role-name>admin</role-name>
<role-name>editor</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>editor</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
At line 34 changed 4 lines
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
At line 46 changed one line
Restricting access to a page is not possible using the basic Container Managed Security. The problem is that the JSPWiki url looks like:
Restricting access to a page is not possible using the basic Container Managed Security supplied with most application servers. The basic service is done on an URL basis with matching using a (very) limited regexp. The problem is that the JSPWiki URL looks like:
At line 54 changed one line
then container managed security would work[1].
then basic container managed security would work[1]. To do page level security requires additional work inside the application.
At line 74 changed one line
Here are more details on the [2.1 Authorizatization |http://www.jspwiki.org/Wiki.jsp?page=AuthorizationAndAuthenticationHOWTO] setup.
Here are more details on the [2.1 Authorizatization | AuthorizationAndAuthenticationHOWTO] setup.
At line 82 added 2 lines
----
--[FosterSchucker]
At line 85 added 20 lines
----
"Container Managed Security" doesn't mean you have to use declarative security for everything. Although, it means that you use standard J2EE APIs for doing programmatic security when not doing declarative security. Just because you can't declare security for Wiki pages doesn't mean you have to abandon J2EE security altogether. You could programmatically enforce wiki page authorization using Container Managed authentication (users/roles).
----
At my site, I have container managed security for access to basic functions like edit and delete. The standard J2EE API is used, when I log in, the container does the Authentication. It returns to JSPWiki my user information (remoteUser). Since the Wiki does not know about __roles__ it does everything on a __user__ basis. So when I login JSPWiki knows that I'm FosterSchucker, but does not care that I'm part of role ''editor''. So I am using, and JSPWiki can use Container Managed Security at a high level.
It becomes sticky when you try to control access to a WikiPage for:
*Page view
*Partial page view (Page A is included inside Page B)
*Indirect page view (LeftMenu is a good example)
*Page edit
*Page status (the More Information link)
*Page differences
----
While waiting for [Security2.3] security framework to get out of Alpha status and land on a stable JSPWiki release, I've written a really dirty hack for 2.2.33 which uses Container Managed Security and allows the usage of a specific wiki page to define edit authorizations for a set of restricted users.
It implies modifying the Edit.jsp page. Further info at [PageAuthentication on my wiki|http://battlehorse.homelinux.net/w/Wiki.jsp?page=PageAuthentication]
--[RiccardoGovoni]
----
[ContainerManagedSecurityDiscussion]
Version Date Modified Size Author Changes ... Change note
13 26-Sep-2006 08:42 5.737 kB null to previous
12 15-Mar-2006 20:21 5.833 kB 196.13.231.16 to previous | to last
11 18-Feb-2006 16:23 5.835 kB 87.10.60.182 to previous | to last
10 18-Feb-2006 16:23 5.832 kB 87.10.60.182 to previous | to last
9 03-Feb-2006 19:21 5.338 kB GWP to previous | to last
8 24-Mar-2004 19:06 5.334 kB FosterSchucker to previous | to last
7 23-Mar-2004 23:47 4.345 kB 129.24.70.221 to previous | to last
6 23-Mar-2004 23:45 4.299 kB 129.24.70.221 to previous | to last
5 23-Mar-2004 23:34 5.812 kB 129.24.70.221 to previous | to last
4 23-Mar-2004 18:20 4.297 kB 129.24.70.221 to previous | to last
3 23-Mar-2004 17:42 3.843 kB FosterSchucker to previous | to last
2 23-Mar-2004 17:41 3.819 kB FosterSchucker to previous | to last
1 23-Mar-2004 17:39 3.855 kB FosterSchucker to last
« This page (revision-13) was last changed on 26-Sep-2006 08:42 by null