|Title|Granting permision to Groups doesnot work in the Policy file or ACL
|Date|01-Feb-2006 21:54:43 EET
|[Bug criticality]|LightBug
|Browser version|IE 6.0 and FireFox1.0.7
|[Bug status]|ClosedBug
|[PageProvider] used|
|Servlet Container|Tomcat 5.0
|Operating System|NT 4
|Java version|JDK 1.4

On my Main page, there are several links to the different sub-pages, I have some groups each of them can only access one of the links. I want to grant the Group "SocialCommittee" the permission only on "*.SocialCommittee*" pages and view only on Main.
I tried 2 ways, 

1st is through the ACL -

{{{[{ALLOW view SocialCommittee}]}}}, but still couldnot view the "*.SocialCommittee*" pages when I logged on the main page as any one of the "SocialCommittee"; If I set ACL as 
{{{[{ALLOW view SocialCommittee, GautamKumra}]}}},
and logged in Main page as "GautamKumra", I could see the "*.SocialCommittee*" pages.

2nd is through the Policy file -

If I comment out all the settings for Role "Authenticated" or even remove the whole section for "Authenticated", and grant some permission to the Wiki group "SocialCommittee" I just created, in the jspwiki.policy, and reboot the Wiki, after I login the Main page as any one of "SocialCommittee", I get the "Forbidden page", I cannot view any page, even the Main.
If I just grant the "edit, rename" on "*.Main" to "Authenticated", no change to the group "SocialCommittee". After I login the Main page as any one of "SocialCommittee", I can "view&edit" the Main page, but get the "Forbidden page" on any other pages.

Thank you !

------------- Content of jspwiki.policy

grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
//    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Main", "edit,rename";

grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.authorize.Group "SocialCommittee" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Main", "view";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:SocialCommittee*", "edit,rename,upload,delete";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";

--------------- Content of GroupSocialCommittee.txt file

[{ALLOW edit SocialCommittee}]
[{SET members='GautamKumra'}]
[{SET members='FahimaMohmand'}]
This is a wiki group. Edit this page to see its members.

I cannot reproduce your bug, so I am marking it invalid. Perhaps there are some peculiarities specific to Windows NT that are preventing things from working on your setup. If that's the case, there's not much we can do, and frankly I am not going to spend a lot of time troubleshooting something that only seems to exist on a ten-year-old operating system. See the [Security 2.3 Howto] page for an example of using groups and security policies.

The second part of your report -- that using Group "SocialCommittee" doesn't work when specified in the security policy -- is correct. Using Group or Role principals other than the standard All, Authenticated, Asserted, Anonymous Principals is NOT supported in the current version of JSPWiki. I erred in writing the documentation, and I will be correcting this shortly. Thanks. -- [Andrew Jaquith]

However, I could reprduce the bug, both 1st and 2nd part in Windows 2k. I do not think that is specific to windows NT. It is a __bug__ and annoyed me 3 days. Hope you can fix it. 

I read some log. It seems the defaultGroupManager does not read all prefix- "Group*" page at all. 

[Gilbert Fang] A JSP user from China.

Gilbert, I understand you are frustrated -- but you have not demonstrated that we really have a problem (at least for your first issue). For the first issue (using the ACL), have you tried the example that I wrote up [Security 2.3 Howto] page? I also don't understand your second comment "I read some log...". Are you referring to the source code? The documentation?

Try following the example on [Security 2.3 Howto] step-by-step, with a clean (unmodified) security policy. Post your results here, and it's still an issue then we'll figure out a way to fix it.

As for your second issue (setting group restrictions in the policy file), I agree that this is an issue in current versions of JSPWiki. We will fix this problem in an upcoming release. -- [Andrew Jaquith]


Release 2.3.83 allows the use of groups (specifically, GroupPrincipals) in {{jspwiki.policy}}. So I'm marking this bug as closed. Thanks for posting this -- it prompted a very helpful refactoring of some of the security classes. 

--Andrew Jaquith, 25-Feb-2006