The purpose of the Auth Plugin is to allow page level security for 2.0.x JSPWiki. It is an Authorization plugin, it uses Container Managed Security to perform the Authentication (and to help control access to some of the JSP files)

[{Auth allow='admin' deny='Janne' edit='editor'}]

Parameters#

allow (optional)[1]
a list of user names and/or roles that have access to this page[1].
deny (optional)
a list of user names and/or roles that should be denied access to this page
edit (optional)
a list of user names and/or roles that have edit access to this page

In the example given, everyone in the admin group has access, except for Janne and those people that have the 'editor' role can edit this page.


How to use it#

There are two different ways to use Auth. First is to control the viewing of a block of text inside of a page:
Everyone will see this text
[{Auth allow='editor'

Only those people with ''editor'' roles will see this text
}]
This text will also be seen by everyone. 

Only the text inside the body of the Auth plugin is controlled. The plugin can be used any number of times on a page. (Plugins can not be nested, so you can not do:

Everyone will see this text
[{Auth allow='editor'

Only those people with ''editor'' roles will see this text
[{Auth allow='admin' 

Only those people with ''editor'' and ''admin'' roles will see this text
}]
Only ''editors'' will see this line
}]
This text will also be seen by everyone. 

The second way is to control access to the entire page.

[{Auth allow='ATeam' deny='BA' edit='ATeam'}]
Plane trip for next week is on, I love it when a plan comes together!
Everyone on the ATeam except for BA can see this page, and all of the ATeam can edit this page.

How it works#

Auth Plugin -- Simply it takes the parameters passed and looks in the user and role list to see if they match[2]:
if (checkthisguy.isEqualIgnoreCase(request.getRemoteUser()) {..}
if (req.isUserInRole(checkthisguy)) {..}
If there is not a match for the allow a AssertionError("Not allowed to see this page") is thrown. This error is caught by the upper most layer of the container, and it will produce an error page with this message on it. (Tested with Resin and Weblogic, your container may or may not work)

If the user is allowed to view the page then an entry is also made in the session variable pageview. A similar entry is made in pageedit if they can edit the page.

In most cases the user will not be able to click on the Edit this page link since if they can's see the page, they are looking at an error page that does not have a link on it.

While Security through Obscurity works for some, some users may elect to put the entire URL in by hand. To protect against this you will need to edit your Edit.jsp file to check and see if they are allowed to edit this file. And while you are at it, you should also change the Diff.jsp and PageInfo.jsp files.

Finally, things like Recent Changes will still find the hidden pages for a user. This means that they will know there is a page called TopSecretPlans even though they can't view it. If this is a concern to you, you can do one of two things:

  1. 1 Call your hidden pages something like Hidden_TopSecretPlans and change your Recent Changes to ignore files that start with Hidden_.
  2. 2 Use the new 2.1 Wiki with the full featured Authorization And Authentication

Disclaimer#

This is how I do it, you may not get it to work without some (high) level of effort on your part. I can try to help you, but plan to spend some time, this is not just a plugin you can drop in and use -- FosterSchucker

3 August 2004#

I've uploaded a new version that fixes a bug if there are many roles in the list. I've also made it a static method and move all of the null checking,wildcards,etc. into the method userInList. This allows Auth to be safely called from other places (like tags, pages, etc.)

I've uploaded the source to the Auth plugin and the source for AuthTag, if you want a compiled version (jar file) let me know.

New exposed method

public static boolean userInList(HttpServletRequest request, String accesslist, String username)
sample call
if (Auth.userInList(request,"editor,admin,superuser",null) { ...}
Will check to see if this user is in any of those roles.

TLD for AuthTag

  <tag>
    <name>Auth</name>
    <tagclass>com.ecyrd.jspwiki.tags.AuthTag</tagclass>
    <bodycontent>JSP</bodycontent>
    <attribute>
       <name>allow</name>
       <required>false</required>
    </attribute>
    <attribute>
       <name>deny</name>
       <required>false</required>
    </attribute>
  </tag>

[#1]The default in the code is to deny access to a page by default. While the allow parameter is not required it's a good idea to have it in there, you can make a page that no user can see.
[#2]The site Administrator is still responsible for putting the user, password and role(s) into the system. _

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jar
Auth.jar 4.3 kB 1 21-Jul-2004 12:28 129.13.186.4
java
Auth.java 7.4 kB 4 03-Aug-2004 22:08 FosterSchucker
java
AuthTag.java 3.2 kB 1 04-Aug-2004 05:31 FosterSchucker
« This page (revision-15) was last changed on 12-Oct-2007 06:44 by JanneJalkanen