|Title|jspwiki.policy ignored when using Security Manager
|Date|12-Mar-2007 00:22:18 EET
|[Bug criticality]|BadBug
|Browser version|firefix
|[Bug status]|ClosedBug
|[PageProvider] used|
|Servlet Container|tomcat5.5
|Operating System|ubuntu 6.10
|Java version|1.5

Try as I might I can not get a custom jspwiki.policy file working with a container security manager.  I upgraded to 2.5.28 as there was a bug fix for local policy file but this did not appear to help.

I have granted JSPWiki all permissions in the catalina policy and JSPWiki works but nothing with security works correctly.  Not even page ACLS (everything is editable).  If I disable container security then the custom jspwiki.policy is followed/enforced.  

I know there are issues with container security manager but this looks like JSPWiki issue not a container issue.



Charlie --

JSPWiki does not operate properly when the SecurityManager is running. It has nothing to do with the security policy -- and everything to do with the fact that we don't have all of the needed permissions enumerated yet. This is an issue, and we are aware of it and working on a fix. In the meantime, do not run JSPWiki with a security manager.


--Andrew Jaquith, 13-Mar-2007



Thanks for the reply and keep up the great work.  I will keep an eye open for updates regarding use of a [Security Manager].


--AnonymousCoward, 16-Mar-2007

Assuming fixed, there have been various fixes against PageRenamer. 
Negative. I've configured a 2.6.0 installation on JBoss with DB2. I'm using container managed security and I can verify that the security policies still aren't being applied properly.

It appears that a user that has both Authenticated and Admin will be granted the all permissions by Admin. However these all permissions are being overridden by the deny of permissions to Authenticated.