Add new attachment

Only authorized users are allowed to upload new attachments.

This page (revision-13) was last changed on 26-Sep-2006 08:42 by null  

This page was created on 23-Mar-2004 17:39 by FosterSchucker

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 13 changed 7 lines
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/Edit.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
At line 21 changed 12 lines
<auth-constraint>
<role-name>admin</role-name>
<role-name>editor</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>editor</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/Delete.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
At line 34 changed 4 lines
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
At line 46 changed one line
Restricting access to a page is not possible using the basic Container Managed Security. The problem is that the JSPWiki url looks like:
Restricting access to a page is not possible using the basic Container Managed Security supplied with most application servers. The basic service is done on an URL basis with matching using a (very) limited regexp. The problem is that the JSPWiki URL looks like:
At line 54 changed one line
then container managed security would work[1].
then basic container managed security would work[1]. To do page level security requires additional work inside the application.
At line 87 added 2 lines
----
At my site, I have container managed security for access to basic functions like edit and delete. The standard J2EE API is used, when I log in, the container does the Authentication. It returns to JSPWiki my user information (remoteUser). Since the Wiki does not know about __roles__ it does everything on a __user__ basis. So when I login JSPWiki knows that I'm FosterSchucker, but does not care that I'm part of role ''editor''. So I am using, and JSPWiki can use Container Managed Security at a high level.
At line 90 added 7 lines
It becomes sticky when you try to control access to a WikiPage for:
*Page view
*Partial page view (Page A is included inside Page B)
*Indirect page view (LeftMenu is a good example)
*Page edit
*Page status (the More Information link)
*Page differences
At line 89 changed one line
! JSPWiki 2.2 (2.1 Alpha) Container Manager Security
While waiting for [Security2.3] security framework to get out of Alpha status and land on a stable JSPWiki release, I've written a really dirty hack for 2.2.33 which uses Container Managed Security and allows the usage of a specific wiki page to define edit authorizations for a set of restricted users.
At line 91 changed 5 lines
I thought I had found a solution to my problems of getting container manager security to work with 2.2 page authorization. It works once a person is logged in. The problem is getting them logged in since Wiki.jsp isn't secured (in a typical setup, edit.jsp would be secured but not Wiki.jsp). So there's nothing to trigger the login for a view. So I tried using the form based authentication instead of basic and converting the JSPWiki login forms into standard login forms like this: \\
{{{
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
It implies modifying the Edit.jsp page. Further info at [PageAuthentication on my wiki|http://battlehorse.homelinux.net/w/Wiki.jsp?page=PageAuthentication]
At line 97 changed 17 lines
}}} \\
However Tomcat doesn't allow direct linking to the login and throws.
{{{
message: Invalid direct reference to form login page
description: The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
}}}
That is, it wants a request to a secured resource to trigger the login and redirect you to the login page, not just let someone login by going to a page with a login form.
* So how do you avoid this error allow people to choose to login in Tomcat without going to a secured page?\\
or for a solution that works with both BASIC and FORM login...
* So does anyone know how you'd programmatically throw a login required to the container?\\
I know that might mean changes to some existing auth* stuff, but I'd really like to know how to do that.
--[RiccardoGovoni]
----
[ContainerManagedSecurityDiscussion]
Version Date Modified Size Author Changes ... Change note
13 26-Sep-2006 08:42 5.737 kB null to previous
12 15-Mar-2006 20:21 5.833 kB 196.13.231.16 to previous | to last
11 18-Feb-2006 16:23 5.835 kB 87.10.60.182 to previous | to last
10 18-Feb-2006 16:23 5.832 kB 87.10.60.182 to previous | to last
9 03-Feb-2006 19:21 5.338 kB GWP to previous | to last
8 24-Mar-2004 19:06 5.334 kB FosterSchucker to previous | to last
7 23-Mar-2004 23:47 4.345 kB 129.24.70.221 to previous | to last
6 23-Mar-2004 23:45 4.299 kB 129.24.70.221 to previous | to last
5 23-Mar-2004 23:34 5.812 kB 129.24.70.221 to previous | to last
4 23-Mar-2004 18:20 4.297 kB 129.24.70.221 to previous | to last
3 23-Mar-2004 17:42 3.843 kB FosterSchucker to previous | to last
2 23-Mar-2004 17:41 3.819 kB FosterSchucker to previous | to last
1 23-Mar-2004 17:39 3.855 kB FosterSchucker to last
« This page (revision-13) was last changed on 26-Sep-2006 08:42 by null