Forget about me, this is indeed not a bug, but instead a wrong setting from my part... stupid me!

I leave the description here in case someone has the same issue and stumbles on this poage when searching for support...

TitleAnonymous View Denied
Date26-Apr-2006 18:05:34 EEST
Version2.4.0
Submitter195.25.133.175
Bug criticalityMediumBug
Browser versionie, firefox
Bug statusNotABug
PageProvider usedVersioningFIleProvider
Servlet ContainerTomcat 5.5.9
Operating SystemWindows XP Pro
URL?
Java version1.5.0_6

I try to set up a Wiki where only authenticated users are allowed to edit pages. I grant only "view" access to users with Anonymous built-in role. It all works as expected until an authenticated user logs out (and its status falls back to asserted). Then the user cannot view any page, he has to login again.

Here are the relevant sections of my jspwiki.policy:

// Guest users
// Note the commented lines, but note too that the "view all pages" permission is explicit.
grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
    //permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Guest*", "edit";
    //permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

// Asserted role: the erreor is here: I simply commented out the "edit" permission,
// and forgot to add a "view" one!
grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
    //permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Guest*", "edit";
    //permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};


// Authenticated users:
grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Group*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

I should have understood it from the logs, where we clearly see that the user name is still recognized (so the user is not anonymous).

2006-04-26 17:04:20,891 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Wiki.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.PagePermission","BenchesWiki:Main","view")]
2006-04-26 17:04:20,891 [http-8080-Processor25] INFO com.ecyrd.jspwiki.WikiContext BenchesWiki:http://e000433:8080/BenchesWiki/Wiki.jsp - User Jérôme Duprez has no access - redirecting (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission","BenchesWiki:Main","view"))
2006-04-26 17:04:20,907 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]
2006-04-26 17:04:20,923 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]
2006-04-26 17:04:20,923 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]


Hi --

Thanks for posting this. Looks like you found out what the issue is, namely that you didn't include view permission in the 'asserted' block in the policy file. So yes, it will want to redirect you to the login page after logout, because the user status falls back to 'asserted'.

Another person posted a bug request asking us to change the default behavior of the logout process so that it removes the assertion cookie also. That would cause the user's status to fall back to 'Anonymous'. It's a good idea, and your example gives me another reason why.

Also -- I think what I will do in the next revision of the default jspwiki.policy file is add a standard block for 'All' users. That will make the grant blocks for the other roles more compact.

--Andrew Jaquith, 28-Apr-2006

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-7) was last changed on 28-Apr-2006 10:58 by Jérôme Duprez