[AnswerMe]

yesy
I Want know, how could I made only the Administrator Group create users on my wiki. I want a hard security on it.
So i changed the policy as below, the problem is: How can i create and delete users? I want that only the ADMIN could do it...

{{{
keystore "jspwiki.jks";

grant signedBy "jspwiki" {
    permission java.security.SecurityPermission   "getPolicy";
    permission java.security.SecurityPermission   "setPolicy";
    permission java.util.PropertyPermission       "java.security.auth.login.config", "write";
    permission java.util.PropertyPermission       "java.security.policy", "read,write";
    permission javax.security.auth.AuthPermission "getLoginConfiguration";
    permission javax.security.auth.AuthPermission "setLoginConfiguration";
};

grant signedBy "jspwiki", 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

grant signedBy "jspwiki", 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki";
};
grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki";
};
}}}


----

With the stock JSPWiki, I don't think there's any way to do it. 

You can, of course, modify jspwiki.policy to prevent ordinary users from creating accounts (ie, remove 'editProfile' rights from Authenticated users).  Members of the Admin group will, of course, have that permission.  However, JSPWiki's design is centered around the concept of self-registration, so it has internal checks to ensure that the wrong person isn't changing a profile.  There is no permission-based exception - so Admin users are prevented from doing this just as are ordinary users.

As a quick hack, you can edit the userdatabase.xml (or whatever you use) manually, to create (and remove) accounts.

Otherwise, you need to create a new module to do this.  I've done this, but it's presently a terrible hack.

Terry Steichen  9/20/06

--TS, 20-Sep-2006

----

Use the following trick:

Protect UserPreferences.jsp using your web.xml, and have a separate account for adding users for your servlet container (e.g. by using tomcat-users.xml).  Yes, you would be mixing two authentication schemes.  But for this case, it should not matter. 

-- JanneJalkanen

UserPreferences.jsp is also used after profile creation, to edit the user profile. Ideally, we need to restrain profile creation to the admin, but users still need to edit their preferences, e.g. password.

I once got around this problem by hacking the JSP: I restrained the wiki name to a fixed list. That doesn't prevent a malicious user to add its own by hacking the URL parameters, but that was too much of a refinment on my intranet. I still think this deserves an official feature, in particular so that a [MereMortal] may administer a Wiki's users list. I suggested [Idea Admin Creates User Profiles].

-- JDuprez

----

Janne,

As I recall, JSPWiki has all sorts of internal checks to ensure that only the specified user can create or modify the profile.  How would this trick bypass those checks?


--TS, 21-Sep-2006

----

Err...  Profile creation is done if you are not yet logged in.  Just don't log into JSPWiki, and authenticate using the container.  If container auth is not enabled, JSPWiki should happily imagine you're just a poor schmuck trying to register.

Modifying the profile, well, that's trickier.  But this question is really only about adding users :)

-- JanneJalkanen

----

Workaround using existing features:
if the OP doesn't really care about profile creation itself, but merely wants to restrict access of new users, the folloiwng configuration could work:
* Allow anyone to create their profile
* Remove "view", etc... permissions from Authenticated
* And add them to a "RegisteredUsers" GroupPrincipal instead
* Enable only the Admin to edit the "RegisteredUsers" Group

If all of this work [1], anonymous users can still create a profile, but they can't access anything until the admin adds them to the "RegisteredUsers" group.

[#1] Actually I didn't manage to have this working on JSPWiki 2.3.72 (at that time I deemed the handling of GroupPrincipal was buggy and gave up). I havn't bothered trying again since I upgraded to 2.4. I hacked away my UserPreferences.jsp instead.

-- JDuprez

----

Hi 

Could you please attach your UserPreferences.jsp. This is exactly what I want... Also have you managed to get the RegisteredUsers Group to work>

Thanks -- GregP


----

I've protected my wiki using Tomcat authentication. This works fine, except that I can't delete pages and attachments. It seems I can't setup a proper admin-account. Any ideas how I can do this?

--RvW, 11-Feb-2007

----

Janne, are you suggesting that container authentication be used and that by default anonymous users are always "authenticated" as a "guest" user with no rights?  How would this automatic guest authentication occur without custom coding.

I have created a formal request for the createProfile permission here: https://issues.apache.org/jira/browse/JSPWIKI-266

--AaronH, 10-May-2008