I had a hard time getting authentication & authorization to work in JSPWiki v2.1.134-alpha using FileAuthenticator and PageAuthorizer. I wanted to deny all access to the wiki except for authenticated users.
- The 2.1 branch authentication/authorization system is broken and should not be used. Please use the following system to secure your wiki and wait for the new auth system coming in place later on... --JanneJalkanen
I used the authentication built into tomcat. Setup $TOMCAT_HOME/conf/tomcat-users.xml like this:1
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="wikiuser"/> <role rolename="tomcat"/> <role rolename="admin"/> <user username="JacobMartinson" password="password" roles="wikiuser"/> <user username="ElJefe" password="password" roles="wikiuser"/> </tomcat-users>
and then $TOMCAT_HOME/webapps/jspwiki/WEB-INF/web.xml like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>wikiuser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JSPWiki Editor</realm-name>
</login-config>
Restart tomcat and it worked the first time. This requires you to authenticate with basic http auth in order to view or edit any page.
-jacob (martinson.jacob at gmail.com
JSPWiki authentication with 2.1.144-alpha (works great over here) -- PascalWillemsen 2005-05-27
This gives view access to everybody and edit access to logged in users.
Create passwords.txt in WEB-INF:
# The format is simply username = password # No encryption is used currently. # Comments are allowed; prepend with hash. Pascal = TopSecret
Turn on JSPWiki authentication an tell JSPWiki where passwords.txt is in jspwiki.properties:
jspwiki.authorizer = PageAuthorizer jspwiki.authenticator = FileAuthenticator jspwiki.fileAuthenticator.fileName = <path-to-JSPWiki>/WEB-INF/passwords.txt jspwiki.policy.strictLogins = true
Edit JSPWiki/templates/default/LeftMenu.jsp:
... </wiki:NoSuchPage> <wiki:Include page="LoginBox.jsp" /> <!-- End of automatically generated page -->
Edit JSPWiki/templates/default/LoginBox.jsp:
<%@ taglib uri="/WEB-INF/jspwiki.tld" prefix="wiki" %>
<%-- Provides a small login/logout form to include in a side bar. --%>
<div class="loginbox">
<hr />
<wiki:UserCheck status="unvalidated">
<form action="<wiki:Variable var="baseURL"/>Login.jsp" accept-charset="UTF-8" method="post" >
<b>Login</b><br />
<input type="hidden" name="page" value="<wiki:Variable var="pagename"/>" />
Username: <input type="text" name="uid" size="8" />
<br />
Password: <input type="password" name="passwd" size="8" />
<br />
<input type="submit" name="action" value="login" />
</form>
</wiki:UserCheck>
<wiki:UserCheck status="validated">
<form action="<wiki:Variable var="baseURL"/>Login.jsp" accept-charset="UTF-8">
<p>
<input type="hidden" name="page" value="<wiki:Variable var="pagename"/>" />
<input type="submit" name="action" value="logout" />
</p>
</form>
<hr />
</wiki:UserCheck>
</div>
Put this in DefaultPermissions.txt:
[{SET defaultpermissions='ALLOW view Guest;ALLOW edit KnownPerson;DENY edit Guest'}]
Create a KnownPerson.txt defining the members of group KnownPerson (separate multiple usernames with a comma and a space):
[{SET members='Pascal'}]
Restart Tomcat.
I have followed all the steps above and I'm redirect to the Loginbox.jsp. As a Guest user i should see the main page and I would have to log in just to edit any page. Am i right? Is anything wrong?
Does this work with 2.2.33?
--TM, 26-Feb-2006
Add new attachment
- Features
- Download
- Documentation
- Templates
- Plugins
- Provider
- Filters
- Support
- FAQ
- Irc Channel
- Mailing List
- Weblog
- Applications
- Getting Involved
- JSPWIKI Testers
Development
Internet Search