TitleContainer Authentication Problems
Date02-Jul-2007 17:14:41 EEST
Version2.4.x (and above?)
SubmitterChrisWilson
Bug criticalityBadBug
Browser versionFirefox (probably all)
Bug statusClosedBug
PageProvider used
Servlet ContainerTomcat (probably others)
Operating SystemLinux (probably all)
URL
Java version1.4.x (probably all)

Moved from FAQ Authentication as this appears to be a real bug and not a FAQ.

Hi all, I'm having a terrible time trying to set up simple LDAP authentication with JSPWiki 2.4.70. I used container auth in 2.0.x and it worked very well, but this new auth system is confusing the hell out of me.

I want to set up authentication so that anyone can read, but only authenticated users can modify the wiki. This is quite easy to do with JSPWiki 2.0.x and container auth.

I enabled container auth in 2.4.x and it seems to work, i.e. requires me to log in, but it requires login even for pages which should not, such as Wiki.jsp. I'm sure I can fix that myself. However JSPWiki does not seem to recognise the authenticated users, and continues to deny access to pages even after login, and denies read access too.

web.xml says:

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Open Area</web-resource-name>
           <url-pattern>/Wiki.jsp</url-pattern>
           <http-method>GET</http-method>
           <http-method>HEAD</http-method>
       </web-resource-collection>
   </security-constraint>

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Protected Area</web-resource-name>
           <url-pattern>/*</url-pattern>
           <url-pattern>/Login.jsp</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>GET</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
           <http-method>HEAD</http-method>
       </web-resource-collection>

       <auth-constraint>
           <role-name>wiki</role-name>
       </auth-constraint>
   </security-constraint>

and jspwiki.policy says:

grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

And the kind of errors I am getting:

  • Visiting the site homepage, http://site/, asks me to log in
  • Authenticated users can view pages (ok, but...)
  • Authenticated users cannot edit pages: "Forbidden. Sorry, but you are not allowed to do that. Usually we block access to something because you do not have the correct privileges (e.g., read, edit, comment) for the page you are looking for..."

Errors in the logs:

Can I disable the user database, or in some way have a user entry synthesised for my container-authenticated users?

Cheers -- Chris Wilson, 2006-12-11.


Chris I have a similiar setup, but I had to populate the userdatase as well, it seems like authentication happens through the continar but the profile for the user is stored in the xml database. This can be done by editing the users profile Alex Samad, 2006-12-12


Oooooooo. This is definitely a bug. Unfortunately the code in WikiSession that refreshes user principals did not take into account the container-managed scenario where a user might have a valid container account but NOT a wiki profile.

Alex's workaround will definitely work -- just create a "stub" for each user in the userdatabase.xml file. That will allow the profile to be found by the credential-refresh code, and your users will be able to log in. However, you shouldn't have to do that, ideally. This is a simple fix; unfortunately because of time constraints I don't think I'll be able to get this done until next week.

--Andrew Jaquith, 14-Dec-2006


Hi, I am facing the exact same problem. I am running JspWiki v2.4.82 on Tomcat 5.5 on Win XP and using container managed authentication (using Active directory). After wiki.jsp displays the Main page, clicking on any tab (e.g Log in, Edit etc) takes me to a page for form based authentication. I am able to login using my id(subhashish_dutta) and password. However, at this point I get the same "Forbidden...." error page with the following in the jspWiki.log file :

I then edited userdatabase.xml to add this entry :

  • <user loginName="subhashish_dutta" wikiName="SubhashishDutta" fullName="Subhashish Dutta" email="subhashish_dutta@infosys.com" created="2006.12.13 at 19:50:59:560 GMT+05:30" lastModified="2006.12.13 at 19:50:59:560 GMT+05:30" />

Though this causes the ERROR regarding Refresh principals to go away in the log, I still get redirected to the "Forbidden" page. Even tried adding my password to the userdatabase entry but that didn't work either.
Clicking on the "Better luck next time" link takes me back to the main page again where I can see "G'day SubhashishDutta (authenticated).

I haven't changed jspWiki's web.xml, just uncommented the portion needed for container based authorization.

Any idea what I might be doing wrong or need to do differently ?

Thanks, Subhashish

--Subhashish, 14-Dec-2006

Hi Subhashish,

I discovered that the error is only on Login.jsp. If after login, when I'm looking at the Forbidden error, I change the URL to Edit.jsp?page=..., then I can edit pages and everything works. It's just very confusing for users that they log in and then get a Forbidden error.

I cannot figure out why the Forbidden error page is being shown, as nothing in the logs indicates that access was forbidden, or why. I disabled the substitute error page so that I can see the Tomcat error, which says:

HTTP Status 403 - It seems you don't have access to that. Sorry.

type Status report

message It seems you don't have access to that. Sorry.

description Access to the specified resource (It seems you don't have access to that. Sorry.) has been forbidden.

Apache Tomcat/4.1.31

The last message in the jspwiki log when servicing this request is still as before: ERROR com.ecyrd.jspwiki.WikiSession JSPWiki:https://new.bgdd.org:8443/Login.jsp - Refresh principals failed because user profile matching 'chris' not found. . So I suspect that the fix proposed by Andrew Jaquith may solve this problem. I hope that he will implement it soon, so that we can test it.

Does anyone know if it's even possible to disable the new authentication system and go back to good old container auth in 2.4?

Cheers -- Chris Wilson, 2006-12-14.


Hi Chris,

Unfortunately in my case, the error seems to be for all pages. Changing the URL didn't help either. However, I've managed to get around the issue for the time being by :

  • Adding a role name called "*" to jspWiki's web.xml
    and
  • Adding "<role-name>*<role-name> in the <auth-constraint> section for the web-resources "Authenticated Area" and "Read only area"

I am now able to login, edit, attach files etc. I am wondering if the original issue has anything to do with the roleName in the LDAP connection settings for JNDIRealm.

Thanks, Subhashish

--Subhashish, 18-Dec-2006


Hey guys,

I was just trying to find a solution for my auth issue and looks like we are all on the same page. I've followed and tried all the possible solutions described here and none worked.

My environment is Linux, Tomcat 5.5 and JSPWiki 2.4.82. I need to Authenticat JSPWiki Users thru LDAP (here I have Active Directory and Sun Java System Directory Server - I work with anyone since its all synchronized).

I've updated the JSPWiki web.xml file and also enabled my tomcat to authenticate via LDAP) and am still getting forbidden. No pages are being accessible when the authentication is enabled.

If you guys could please give me a help I will appreciate that. Thanks.

--Guilherme Barreiro. Dec-27,2006


Hello,

I have one problem only with my wiki. when a new user (one that is joining JSPWiki) fills out user information in the UserPreferences.jsp page and clicks save profile. The user gets the forbiden.html page

BUT.....If this user clicks the browsers back button, you'd see that he or she is indeed logged in.

That Forbiden page only shows up once.....the next time that user logs in everything works as expected.

what can i do about the Forbin page that pops up.


Assuming fixed, takes me too long to figure it out, if it still occurs, please file a bug in JIRA.


I had the same problem, I was using Weblogic 10. This problem got resolved when I added weblogic.xml to /WEB-INF. Make sure that roles in web.xml are mapped to the roles in server environment

<?xml version="1.0" encoding="UTF-8"?> <wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd"> <wls:security-role-assignment> <wls:role-name>Admin</wls:role-name> <wls:principal-name>Admin</wls:principal-name> </wls:security-role-assignment> <wls:security-role-assignment> <wls:role-name>Authenticated</wls:role-name> <wls:principal-name>Authenticated</wls:principal-name> </wls:security-role-assignment> <wls:jsp-descriptor> <wls:keepgenerated>true</wls:keepgenerated> <wls:working-dir>C:\workspace\jspwiki\WikiApp\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\cms_domain\work\JSPWiki</wls:working-dir> <wls:debug>true</wls:debug> </wls:jsp-descriptor> <wls:context-root>/</wls:context-root> </wls:weblogic-web-app>

--AnonymousCoward, 04-Aug-2008

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-4) was last changed on 04-Aug-2008 21:46 by shrirang