This is version . It is not the current version, and thus it cannot be edited.
[Back to current version]   [Restore this version]
TitleACL commands being ignored
Date14-Sep-2006 13:43:01 EEST
Bug criticalityBadBug
Browser versionIE 6.0.28/Firefox
Bug statusClosedBug
PageProvider used
Servlet ContainerTomcat 5.0.28
Operating SystemSolaris 10
Java version1.5.0_06-b05


I have just depolyed JSP Wiki and am playing around with the Authentication and Authorisation trying to learn how it works!

I have the wiki configured to use container based Authentication and have modified the jspwiki.policy to only allow Authenticated users to edit and create pages.

All other users should be allow to view all pages except on a per page basis where ACL Markup is used.

The problem that I am encountering is that even though I have included ACL view restriction as per below:

[{ALLOW view Authenticated, User1}]

all users can wiew this page. It appears as though the Markup is being ignored?

As I said I am trying to learn how the wiki works and prior to making some of my modifications to the security settings the ACL was working.

I seemed to be having some problems with pages caching (not sure wheher it was in browser, at proxy server or within the JSP container - or a combination of all of these) whereby the output markup was being rendered with the previously logged in users settings (e.g. if a newly logged in user tried to create a new group they would see the last new group created by the previously logged in user) so I have configured with:

jspwiki.usePageCache = false

I am not sure that this is not a separate issue which is obfuscating my view of the ACL issue?

Anyway, no matter what I now do in the page markup - the ACL is just ignored..

Any ideas?



I think this is somehow related to some other caching bugs we are seeing (e.g. author names not updating). If you re-edit the page, does the ACL then refresh?

-- JanneJalkanen, 24-Sep-2006

I'm having the same issue as well. [{ALLOW edit JamesW}] is the top line of the .txt file, but it allows everyone to edit.

I also have the page cache turned to false.

I'm trying various things to get the ACL command to work, re-editing the page, etc. Shutting down & starting back up....nothing works.

--James W., 19-Oct-2006

Seems to be working nicely here. Put braces around your ACL, because it was preventing anyone from viewing the page ;-)

What if you turn the page cache to "true"?

-- JanneJalkanen, 20-Oct-2006

I have since rolled back the installation and deployed the latest release 2.4.71. I am unable to recreate this problem now, so the problem seems to be resolved.

Not sure if there has been a fix in this latest release of if the roll back of some configuration setting that I had previously implemented has had the dessired effect? Either way it seems fine now.

Anyway thanks for your suggestions.


--Paul, 24-Oct-2006

Marked closed.

-- JanneJalkanen

Hi Janne,

I still had problem with this ACL commands.They are not working.I have deployed the JSPWiki 2.4.103 in mine Tomcat4.1 web server.everything is working fine except this ACLs.I have done some changes in the policy file also,which are working fine.can you give me some clue,how to fix this ACL problem.IF you want any other info regarding mine deployment of JSPWiki then do let me know please but I want your help urgently. I have given this commands like this--

[{ALLOW view balwinder}]

where balwinder is mine JSPWiki name.

-- Balwinder

Hello out there,

I'm having the same problem (version 2.4.102), deployed on a Websphere 6.0. I am working with container-authentication, I disabled the Asserted-JAAS-Modul, I think the rest is mainly the released version, I did not change many things in the configuration. I would be very pleased if you could help me to fix this!

I have some more Information to add:

I debugged a bit around, and the ACL is being parsed. The problem is: every user has the AllPermission. In the Method checkPermission( WikiSession session, Permission permission ) in the AuthorizationManager the hasAllPermission is being set to true.

-- albert

Add new attachment

Only authorized users are allowed to upload new attachments.
« This particular version was published on 15-Oct-2007 09:32 by albert.