TitleGranting permision to Groups doesnot work in the Policy file or ACL
Date01-Feb-2006 21:54:43 EET
Bug criticalityLightBug
Browser versionIE 6.0 and FireFox1.0.7
Bug statusClosedBug
PageProvider used
Servlet ContainerTomcat 5.0
Operating SystemNT 4
Java versionJDK 1.4

On my Main page, there are several links to the different sub-pages, I have some groups each of them can only access one of the links. I want to grant the Group "SocialCommittee" the permission only on "*.SocialCommittee*" pages and view only on Main. I tried 2 ways,

1st is through the ACL -

[{ALLOW view SocialCommittee}]
, but still couldnot view the "*.SocialCommittee*" pages when I logged on the main page as any one of the "SocialCommittee"; If I set ACL as
[{ALLOW view SocialCommittee, GautamKumra}]
, and logged in Main page as "GautamKumra", I could see the "*.SocialCommittee*" pages.

2nd is through the Policy file -

If I comment out all the settings for Role "Authenticated" or even remove the whole section for "Authenticated", and grant some permission to the Wiki group "SocialCommittee" I just created, in the jspwiki.policy, and reboot the Wiki, after I login the Main page as any one of "SocialCommittee", I get the "Forbidden page", I cannot view any page, even the Main. If I just grant the "edit, rename" on "*.Main" to "Authenticated", no change to the group "SocialCommittee". After I login the Main page as any one of "SocialCommittee", I can "view&edit" the Main page, but get the "Forbidden page" on any other pages.

Thank you !

Content of jspwiki.policy
grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
//    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Main", "edit,rename";

grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Group "SocialCommittee" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Main", "view";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:SocialCommittee*", "edit,rename,upload,delete";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";

Content of GroupSocialCommittee.txt file
[{ALLOW edit SocialCommittee}]
[{SET members='GautamKumra'}]
[{SET members='FahimaMohmand'}]
This is a wiki group. Edit this page to see its members.

I cannot reproduce your bug, so I am marking it invalid. Perhaps there are some peculiarities specific to Windows NT that are preventing things from working on your setup. If that's the case, there's not much we can do, and frankly I am not going to spend a lot of time troubleshooting something that only seems to exist on a ten-year-old operating system. See the Security 2.3 Howto page for an example of using groups and security policies.

The second part of your report -- that using Group "SocialCommittee" doesn't work when specified in the security policy -- is correct. Using Group or Role principals other than the standard All, Authenticated, Asserted, Anonymous Principals is NOT supported in the current version of JSPWiki. I erred in writing the documentation, and I will be correcting this shortly. Thanks. -- Andrew Jaquith

However, I could reprduce the bug, both 1st and 2nd part in Windows 2k. I do not think that is specific to windows NT. It is a bug and annoyed me 3 days. Hope you can fix it.

I read some log. It seems the defaultGroupManager does not read all prefix- "Group*" page at all.

Gilbert Fang A JSP user from China.

Gilbert, I understand you are frustrated -- but you have not demonstrated that we really have a problem (at least for your first issue). For the first issue (using the ACL), have you tried the example that I wrote up Security 2.3 Howto page? I also don't understand your second comment "I read some log...". Are you referring to the source code? The documentation?

Try following the example on Security 2.3 Howto step-by-step, with a clean (unmodified) security policy. Post your results here, and it's still an issue then we'll figure out a way to fix it.

As for your second issue (setting group restrictions in the policy file), I agree that this is an issue in current versions of JSPWiki. We will fix this problem in an upcoming release. -- Andrew Jaquith

Release 2.3.83 allows the use of groups (specifically, GroupPrincipals) in jspwiki.policy. So I'm marking this bug as closed. Thanks for posting this -- it prompted a very helpful refactoring of some of the security classes.

--Andrew Jaquith, 25-Feb-2006

Hi, I granted view permission for a group which includes me Administrator as well, on the MAIN page and now am unable to edit the page as the edit page will not show on viewing the page. Kindly provide a solution asap. Thanks in advance10-Oct-07

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-18) was last changed on 11-Oct-2007 14:42 by JanneJalkanen