AnswerMe

yesy I Want know, how could I made only the Administrator Group create users on my wiki. I want a hard security on it. So i changed the policy as below, the problem is: How can i create and delete users? I want that only the ADMIN could do it...

keystore "jspwiki.jks";

grant signedBy "jspwiki" {
    permission java.security.SecurityPermission   "getPolicy";
    permission java.security.SecurityPermission   "setPolicy";
    permission java.util.PropertyPermission       "java.security.auth.login.config", "write";
    permission java.util.PropertyPermission       "java.security.policy", "read,write";
    permission javax.security.auth.AuthPermission "getLoginConfiguration";
    permission javax.security.auth.AuthPermission "setLoginConfiguration";
};

grant signedBy "jspwiki", 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

grant signedBy "jspwiki", 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki";
};
grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki";
};


With the stock JSPWiki, I don't think there's any way to do it.

You can, of course, modify jspwiki.policy to prevent ordinary users from creating accounts (ie, remove 'editProfile' rights from Authenticated users). Members of the Admin group will, of course, have that permission. However, JSPWiki's design is centered around the concept of self-registration, so it has internal checks to ensure that the wrong person isn't changing a profile. There is no permission-based exception - so Admin users are prevented from doing this just as are ordinary users.

As a quick hack, you can edit the userdatabase.xml (or whatever you use) manually, to create (and remove) accounts.

Otherwise, you need to create a new module to do this. I've done this, but it's presently a terrible hack.

Terry Steichen 9/20/06

--TS, 20-Sep-2006


Use the following trick:

Protect UserPreferences.jsp using your web.xml, and have a separate account for adding users for your servlet container (e.g. by using tomcat-users.xml). Yes, you would be mixing two authentication schemes. But for this case, it should not matter.

-- JanneJalkanen

UserPreferences.jsp is also used after profile creation, to edit the user profile. Ideally, we need to restrain profile creation to the admin, but users still need to edit their preferences, e.g. password.

I once got around this problem by hacking the JSP: I restrained the wiki name to a fixed list. That doesn't prevent a malicious user to add its own by hacking the URL parameters, but that was too much of a refinment on my intranet. I still think this deserves an official feature, in particular so that a MereMortal may administer a Wiki's users list. I suggested Idea Admin Creates User Profiles.

-- JDuprez


Janne,

As I recall, JSPWiki has all sorts of internal checks to ensure that only the specified user can create or modify the profile. How would this trick bypass those checks?

--TS, 21-Sep-2006


Err... Profile creation is done if you are not yet logged in. Just don't log into JSPWiki, and authenticate using the container. If container auth is not enabled, JSPWiki should happily imagine you're just a poor schmuck trying to register.

Modifying the profile, well, that's trickier. But this question is really only about adding users :)

-- JanneJalkanen


Workaround using existing features: if the OP doesn't really care about profile creation itself, but merely wants to restrict access of new users, the folloiwng configuration could work:

If all of this work [1], anonymous users can still create a profile, but they can't access anything until the admin adds them to the "RegisteredUsers" group.

[#1] Actually I didn't manage to have this working on JSPWiki 2.3.72 (at that time I deemed the handling of GroupPrincipal was buggy and gave up). I havn't bothered trying again since I upgraded to 2.4. I hacked away my UserPreferences.jsp instead.

-- JDuprez


Hi

Could you please attach your UserPreferences.jsp. This is exactly what I want... Also have you managed to get the RegisteredUsers Group to work>

Thanks -- GregP


I've protected my wiki using Tomcat authentication. This works fine, except that I can't delete pages and attachments. It seems I can't setup a proper admin-account. Any ideas how I can do this?

--RvW, 11-Feb-2007


Janne, are you suggesting that container authentication be used and that by default anonymous users are always "authenticated" as a "guest" user with no rights? How would this automatic guest authentication occur without custom coding.

I have created a formal request for the createProfile permission here: https://issues.apache.org/jira/browse/JSPWIKI-266

--AaronH, 10-May-2008

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-21) was last changed on 26-Apr-2011 11:10 by 195.222.46.9