Titlejspwiki.policy ignored when using Security Manager
Date12-Mar-2007 00:22:18 EET
Version2.5.28
Submitter69.115.43.4
Bug criticalityBadBug
Browser versionfirefix
Bug statusClosedBug
PageProvider used
Servlet Containertomcat5.5
Operating Systemubuntu 6.10
URLhttp://192.168.1.104:8180/JSPWiki25/Wiki.jsp?page=Main
Java version1.5

Try as I might I can not get a custom jspwiki.policy file working with a container security manager. I upgraded to 2.5.28 as there was a bug fix for local policy file but this did not appear to help.

I have granted JSPWiki all permissions in the catalina policy and JSPWiki works but nothing with security works correctly. Not even page ACLS (everything is editable). If I disable container security then the custom jspwiki.policy is followed/enforced.

I know there are issues with container security manager but this looks like JSPWiki issue not a container issue.

thanks, Charlie


Charlie --

JSPWiki does not operate properly when the SecurityManager is running. It has nothing to do with the security policy -- and everything to do with the fact that we don't have all of the needed permissions enumerated yet. This is an issue, and we are aware of it and working on a fix. In the meantime, do not run JSPWiki with a security manager.

Andrew

--Andrew Jaquith, 13-Mar-2007


Andrew;

Thanks for the reply and keep up the great work. I will keep an eye open for updates regarding use of a Security Manager.

Charlie.

--AnonymousCoward, 16-Mar-2007


Assuming fixed, there have been various fixes against PageRenamer.
Negative. I've configured a 2.6.0 installation on JBoss with DB2. I'm using container managed security and I can verify that the security policies still aren't being applied properly.
It appears that a user that has both Authenticated and Admin will be granted the all permissions by Admin. However these all permissions are being overridden by the deny of permissions to Authenticated.

Work Around#

There is a work around to all this. Since the policy is incompletely applied, reset the policy to 'clear' and just use a pure container managed security model:
Here is my policy:
grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
	permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};

And here is my web.xml:

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Administrative Area</web-resource-name>
           <url-pattern>/NewGroup.jsp</url-pattern>
           <url-pattern>/Delete.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>Admin</role-name>
       </auth-constraint>
	   <!--
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
	   -->
   </security-constraint>
      
   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Authenticated area</web-resource-name>
           <url-pattern>/Edit.jsp</url-pattern>
           <url-pattern>/Comment.jsp</url-pattern>
           <url-pattern>/Login.jsp</url-pattern>
           <url-pattern>/Rename.jsp</url-pattern>
           <url-pattern>/Upload.jsp</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>GET</http-method>
           <http-method>HEAD</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <web-resource-collection>
           <web-resource-name>Read-only Area</web-resource-name>
           <url-pattern>/attach</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <auth-constraint>
           <role-name>Admin</role-name>
           <role-name>Authenticated</role-name>
       </auth-constraint>

       <!--
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
	   -->
   </security-constraint>


--Louis, 2008-03-13


If there is a new bug, please file it at the issue tracker. These bugs are considered fixed and new information is largely ignored.


Note that this issue has been added to the bug tracker, here.

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-12) was last changed on 18-Dec-2009 14:24 by 194.66.238.27