|Title|jspwiki.policy ignored when using Security Manager
|Date|12-Mar-2007 00:22:18 EET
|Version|2.5.28
|Submitter|69.115.43.4
|[Bug criticality]|BadBug
|Browser version|firefix
|[Bug status]|ClosedBug
|[PageProvider] used|
|Servlet Container|tomcat5.5
|Operating System|ubuntu 6.10
|URL|http://192.168.1.104:8180/JSPWiki25/Wiki.jsp?page=Main
|Java version|1.5

Try as I might I can not get a custom jspwiki.policy file working with a container security manager.  I upgraded to 2.5.28 as there was a bug fix for local policy file but this did not appear to help.

I have granted JSPWiki all permissions in the catalina policy and JSPWiki works but nothing with security works correctly.  Not even page ACLS (everything is editable).  If I disable container security then the custom jspwiki.policy is followed/enforced.  

I know there are issues with container security manager but this looks like JSPWiki issue not a container issue.

thanks,
Charlie



----

Charlie --

JSPWiki does not operate properly when the SecurityManager is running. It has nothing to do with the security policy -- and everything to do with the fact that we don't have all of the needed permissions enumerated yet. This is an issue, and we are aware of it and working on a fix. In the meantime, do not run JSPWiki with a security manager.

Andrew

--Andrew Jaquith, 13-Mar-2007


----

Andrew;

Thanks for the reply and keep up the great work.  I will keep an eye open for updates regarding use of a [Security Manager].

Charlie.


--AnonymousCoward, 16-Mar-2007

----
Assuming fixed, there have been various fixes against PageRenamer. 
----
Negative. I've configured a 2.6.0 installation on JBoss with DB2. I'm using container managed security and I can verify that the security policies still aren't being applied properly.
\\
It appears that a user that has both Authenticated and Admin will be granted the all permissions by Admin. However these all permissions are being overridden by the deny of permissions to Authenticated.
\\
!Work Around
There is a work around to all this. Since the policy is incompletely applied, reset the policy to 'clear' and just use a pure container managed security model:
\\
Here is my policy:\\
{{{
grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
	permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
}}}

And here is my web.xml:\\
{{{
   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Administrative Area</web-resource-name>
           <url-pattern>/NewGroup.jsp</url-pattern>
           <url-pattern>/Delete.jsp</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>Admin</role-name>
       </auth-constraint>
	   <!--
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
	   -->
   </security-constraint>
      
   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Authenticated area</web-resource-name>
           <url-pattern>/Edit.jsp</url-pattern>
           <url-pattern>/Comment.jsp</url-pattern>
           <url-pattern>/Login.jsp</url-pattern>
           <url-pattern>/Rename.jsp</url-pattern>
           <url-pattern>/Upload.jsp</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>GET</http-method>
           <http-method>HEAD</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <web-resource-collection>
           <web-resource-name>Read-only Area</web-resource-name>
           <url-pattern>/attach</url-pattern>
           <http-method>DELETE</http-method>
           <http-method>POST</http-method>
           <http-method>PUT</http-method>
       </web-resource-collection>

       <auth-constraint>
           <role-name>Admin</role-name>
           <role-name>Authenticated</role-name>
       </auth-constraint>

       <!--
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
	   -->
   </security-constraint>
}}}

\\
--[Louis], 2008-03-13

----

If there is a new bug, please file it at the [issue tracker|https://issues.apache.org/jira/browse/JSPWIKI].  These bugs are considered fixed and new information is largely ignored.

----
Note that this issue has been added to the bug tracker, [here|https://issues.apache.org/jira/browse/JSPWIKI-129].