TitlePage permissions changing randomly?
Date18-Aug-2006 19:39:22 EEST
SubmitterAdam Ehven
Bug criticalityBadBug
Browser versionfireforx
Bug statusClosedBug
PageProvider usedfile system
Servlet Containertomcat 5.5.17
Operating SystemSuse Linux
Java version1.5.0_07

I'm seeing page permissions, specifically Edit permissions, change randomly on my wiki. Pages that have no ACL and generally are editable by everyone suddenly become not editable, and I have to make them editable by adding an ACL to get around it.

Sometimes a server restart works; sometimes no.

Here is my security policy:

keystore "jspwiki.jks";

// JSPWiki itself needs some basic privileges in order to operate.
// If you are running JSPWiki with a security manager, don't change these,
// because it will totally b0rk the system.

grant signedBy "jspwiki" {
    permission java.security.SecurityPermission   "getPolicy";
    permission java.security.SecurityPermission   "setPolicy";
    permission java.util.PropertyPermission       "java.security.auth.login.config", "write";
    permission java.util.PropertyPermission       "java.security.policy", "read,write";
    permission javax.security.auth.AuthPermission "getLoginConfiguration";
    permission javax.security.auth.AuthPermission "setLoginConfiguration";

grant signedBy "jspwiki", 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Group*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";

grant signedBy "jspwiki", 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";

grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "wiki";
grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "wiki";

Does the current CVS work for you better?

-- JanneJalkanen

I haven't tried it because I have such a hard time reproducing this reliably, I was hoping someone else has seen it before I try another version. Has anyone else seen this, to your knowledge?

--Adam Ehven, 18-Aug-2006

Nope. At least nobody has reported this.

-- JanneJalkanen, 19-Aug-2006


Interestingly, I'm starting to think that the problem is related somehow to how soon after restarting the server I try to get the first page. It looks like if I restart tomcat and log in quickly, this problem is quite likely. If I wait a long time (a couple of minutes, maybe), then the page permissions seem fine. Does this make any sense to you? Could there be something not quite ready at the start and then it gets stuck when I try to use it then?



--Adam Ehven, 23-Aug-2006

It might be that the policy file is not loaded properly. Could you please check the output of admin/SecurityConfig.jsp the next time it fails?

-- JanneJalkanen

It happened again and this time I don't think I did a GET too soon after starting. Main is not editable by non-admin users. Another page also had the same problem after my last restart. I had to go in there real quick and put an ACL "ALLOW modify All" for that one, though I left Main uneditable. SecurityConfig.jsp doesn't detect this. Attached is what I get from SecurityConfig.jsp

--Adam Ehven, 25-Aug-2006

By the way, I've only seen this happen on pages which have links to them on the Left Menu, and the left menu does have an ACL to allow only Admin to edit it. However, I can't say for sure that this doesn't happen on other pages, and when I removed the ACL from Left Menu, I still occasionally saw the problem. Very suspicious, though, isn't it?

--Adam Ehven, 25-Aug-2006

Do you possibly have two jspwiki.policy files in your webapps directory somewhere? If you have two webapps, there's no way to know whose policy file gets loaded first, in which case you should state the policy file from command line.

-- JanneJalkanen

Yes! I have two wikis running under webapps and they each have their own policy and userdatabase.xml files, in their respective WEB-INF directories, which is just how I want it. Are you saying I need to specify which policy file gets loaded when Tomcat starts? How do I do that, and how do I get both wikis to have separate security policies and user-sets if only one policy file is loaded by Tomcat? By the way, I'm not sure this weird behavior only started when I put up the second wiki -- I kinda think I had the problem even before that, but I'm happy to go with this theory if it makes sense to you.

Thanks for all your help, too.

--Adam Ehven, 28-Aug-2006

We have the same problem on v2.4.56. We have a similar setup with ACL on the Main and LeftMenu pages but not on the pages showing this problem.

--Barry Beveridge, 12-Dec-2006

Some quick comments on the issues you raised, which are really two things.

1. ACL enforcement issue. A while back we discovered a bug that was causing page ACLs to be ignored the first time a page was loaded. This was not fixed until 2.4.68. It would certainly explain why ACLs weren't working for you immediately after startup. But, that's fixed now.

2. Security policies for multi-wiki deployments. If you want to use more than one JSPWiki instance in a single container, you need to consolidate the two policy files into one, and make sure you start up your servlet container with the correct JVM options so it knows where to find the policy. See http://doc.jspwiki.org/2.4/wiki/Security#section-Security-ImplementingCustomPolicies. This is a Java restriction; only one security policy can be in force at a time.

--Andrew Jaquith, 14-Dec-2006

I can now reproduce the problem on 2.4.56. If I login and edit an existing page and then logout the Edit action vanishes . If I login in again then Edit is back. If I bounce tomcat then I can see the Edit again even when I am not logged in. I will now try running the v2.4.68 or later and see if the problem is resolved.

-- Barry Beveridge, 14-Dec-2006

Should be fixed in 2.4.100.

-- JanneJalkanen

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
SecurityConfig.jsp.htm 46.1 kB 1 25-Aug-2006 23:11 Adam Ehven
« This page (revision-25) was last changed on 26-Sep-2007 23:15 by JanneJalkanen