''Authentication'' is the process of logging in, and making sure that the user actually is who he says he is. 
''Authorization'', or access control, defines the rights and permissions of users, be they unauthenticated guests or known and authenticated individuals.
While the two are separate problems from an architecture perspective, an administrator usually considers them jointly. Thus, this combined status and instruction page.

!Current status: early alpha. Only available in CVS.

JSPWiki version 2.1.51 is slowly acquiring auth capabilities.
Under development by [Janne|Janne Jalkanen]. Syntax may still change.

User authentication and authorization works; groups don't. Only the three default groups ''Guest'', ''~NamedGuest'', and ''~KnownPerson'' are currently usable. 

JSPWiki developers are invited to collect their observations on the Auth* scheme on [Authorization and Authentication Development].


!!Setting up user authentication

Add the following properties to ''jspwiki.properties'':
  jspwiki.authenticator = FileAuthenticator
  jspwiki.fileAuthenticator.fileName = /tmp/passwords.txt

Edit the password file:
  # The format is simply username = password
  # No encryption is used currently.
  # Comments are allowed; prepend with hash.
  ebu = foobar
  ubi = frobozz

Restart the container, and access the main page. If you use the default [template|JSP Wiki Templates], a small login box should appear in the left margin. Enter the username in the upper box and the password in the lower, and click on login. If you see the friendly greeting, you have authenticated successfully.


''~FileAuthenticator'' is a fairly simple class (''com.ecyrd.jspwiki.auth.modules.~FileAuthenticator''). You can write your own class to implement ''com.ecyrd.jspwiki.auth.~WikiAuthenticator'', make sure the webapp can find the class, and use the full class name for the ''jspwiki.authenticator'' property to do your own, custom authentication. 

!!About Groups

Group support is not finished at this time. Three system groups are defined:
* anyone accessing the wiki belongs to group ''Guest''
* anyone who has set their name on the user preferences page belongs to group ''~NamedGuest''
* anyone who has been authenticated belongs to group ''~KnownPerson''

In the future, the default method to create a group Xyzzy with members Foo and Bar is to 
* create a page called ''Xyzzy''
* on the page, add the statement [[{SET members='Foo, Bar'}]
Naturally, a custom can be substituted, if you wish to look group information up in 
some other manner.


Groups actually work if you don't use the prospective default implementation (''~WikiDatabase'') that uses WikiPages for group definition. 
[I|ebu] wrote a minor patch to ''~UserManager'', now available in the CVS HEAD. You can now define the property ''jspwiki.userdatabase = path.to.your.class'' and plug in a ''com.ecyrd.jspwiki.auth.~UserDatabase'' implementation. Again, this is a fairly simple operation, but expect to adjust for [Janne|JanneJalkanen]'s changes before any version releases. 


!Page Access Rules

Plugin-like entries on a page define the access level of users. The following examples illustrate the syntax:

A publicly viewable page (since everyone belongs to group ''Guest'', editable only by users ebu and ubi:
  [{ALLOW view Guest}]
  [{DENY edit Guest}]
  [{ALLOW edit ebu, ubi}]

A page viewable by ebu and ubi only, editable by ebu only:
  [{DENY view Guest}]
  [{ALLOW view ebu, ubi}]
  [{DENY edit Guest}]
  [{ALLOW edit ebu}]

As can be seen from the parameters, both usernames and group names can be specified in access rules. (We just can't specify new groups quite yet.) Note that ''edit'' does not imply ''view'', and that the order of inclusion-exclusion does not matter. Positive permission takes precedence.

!Default Access Rules

Theoretically, creating a page named ''~DefaultPermissions'' and placing a set of access rules on it should make those rules apply to all pages. Page-specific access rules should replace the defaults, if present. ''However'', the default system does not seem to work properly, and is liable to change (at least into a more configurable form).


Administrators are people who are allowed to do whatever they please in the wiki system.  No access rights stop them.

You can set the name of the administrator group by setting the {{jspwiki.auth.administrator}} -property in your jspwiki.properties.  For example:

jspwiki.auth.administrator = WikiAdmin

The default value for the admin group is "WikiAdmin".

On the group page you would then list those people who are a part of this group.  For example, to make ~JackJones and ~JillJones administrators, use:

[{SET members='JackJones, JillJones'}]



!Multiple Wiki Site Security

Hmm, any indications on how security and such can be setup and administered on say a wiki installation of 8 wiki's with about 20 users?  Am I going to have massive duplication and have to manually synch stuff between the wiki's?  Any way to setup a master security configuration and have it propagate thru each wiki?  (Tangentially related to my SecurityHelp question.) --JohnVolkar

User/password databases can be shared.  The default PageAuthorizer finds its permissions on the WikiPages themselves. --JanneJalkanen


Old discussion: [Requirements for JSPWiki Authentication]


[Category Development] - to be moved to Documentation once auth* is ready.