This is version . It is not the current version, and thus it cannot be edited.
[Back to current version]   [Restore this version]
TitleAnonymous View Denied
Date26-Apr-2006 18:05:34 EEST
Version2.4.0
Submitter195.25.133.175
Bug criticalityMediumBug
Browser versionie, firefox
Bug statusNewBug
PageProvider usedVersioningFIleProvider
Servlet ContainerTomcat 5.5.9
Operating SystemWindows XP Pro
URL?
Java version1.5.0_6

I try to set up a Wiki where only authenticated users are allowed to edit pages. I grant only "view" access to users with Anonymous built-in role. However anonymous users can indeed not view any page. They have to login first, then everything works as expected, as far as I could test.

Here are the relevant sections of my jspwiki.policy:

// Guest users
// Note the commented lines, but note too that the "view all pages" permission is explicit.
grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
    //permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Guest*", "edit";
    //permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

// (...) Asserted role omitted, same settings indeed

// Authenticated users:

grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Group*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

Here are the traces from jspwiki.log:

2006-04-26 17:04:20,891 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Wiki.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.PagePermission","BenchesWiki:Main","view")]
2006-04-26 17:04:20,891 [http-8080-Processor25] INFO com.ecyrd.jspwiki.WikiContext BenchesWiki:http://e000433:8080/BenchesWiki/Wiki.jsp - User Jérôme Duprez has no access - redirecting (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission","BenchesWiki:Main","view"))
2006-04-26 17:04:20,907 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]
2006-04-26 17:04:20,923 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]
2006-04-26 17:04:20,923 [http-8080-Processor25] INFO SecurityLog BenchesWiki:http://e000433:8080/BenchesWiki/Login.jsp - WikiSecurityEvent.ACCESS_DENIED [source=com.ecyrd.jspwiki.auth.AuthorizationManager@5e9f1, princpal=[WikiPrincipal (fullName): Jérôme Duprez], target=("com.ecyrd.jspwiki.auth.permissions.WikiPermission","BenchesWiki","creategroups")]


addendum: indeed this only happens for users after they have logged out. For plain anonymous users (never logged, never asserted), the behavior is the expected one. Moreover, if after logging out (and then witnessing the odd behavior described here), I remove the jspwiki cookies, everything comes back to normal, until I login/loout again.

N.B.: is it intentioanl that these cookies are not erased when one logs out? I assume you want that a user who logs out stays asserted.

Add new attachment

Only authorized users are allowed to upload new attachments.
« This particular version was published on 27-Apr-2006 11:40 by Jérôme Duprez.