I had a hard time getting authentication & authorization to work in JSPWiki v2.1.134-alpha using FileAuthenticator and PageAuthorizer. I wanted to deny all access to the wiki except for authenticated users.
- The 2.1 branch authentication/authorization system is broken and should not be used. Please use the following system to secure your wiki and wait for the new auth system coming in place later on... --JanneJalkanen
I used the authentication built into tomcat. Setup $TOMCAT_HOME/conf/tomcat-users.xml like this:1
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="wikiuser"/> <role rolename="tomcat"/> <role rolename="admin"/> <user username="JacobMartinson" password="password" roles="wikiuser"/> <user username="ElJefe" password="password" roles="wikiuser"/> </tomcat-users>
and then $TOMCAT_HOME/webapps/jspwiki/WEB-INF/web.xml like this:
<security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>HEAD</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>wikiuser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>JSPWiki Editor</realm-name> </login-config>
Restart tomcat and it worked the first time. This requires you to authenticate with basic http auth in order to view or edit any page.
-jacob (martinson.jacob at gmail.com
JSPWiki authentication with 2.1.144-alpha (works great over here) -- PascalWillemsen 2005-05-27
This gives view access to everybody and edit access to logged in users.
Create passwords.txt in WEB-INF:
# The format is simply username = password # No encryption is used currently. # Comments are allowed; prepend with hash. Pascal = TopSecret
Turn on JSPWiki authentication an tell JSPWiki where passwords.txt is in jspwiki.properties:
jspwiki.authorizer = PageAuthorizer jspwiki.authenticator = FileAuthenticator jspwiki.fileAuthenticator.fileName = <path-to-JSPWiki>/WEB-INF/passwords.txt jspwiki.policy.strictLogins = true
Edit JSPWiki/templates/default/LeftMenu.jsp:
... </wiki:NoSuchPage> <wiki:Include page="LoginBox.jsp" /> <!-- End of automatically generated page -->
Edit JSPWiki/templates/default/LoginBox.jsp:
<%@ taglib uri="/WEB-INF/jspwiki.tld" prefix="wiki" %> <%-- Provides a small login/logout form to include in a side bar. --%> <div class="loginbox"> <hr /> <wiki:UserCheck status="unvalidated"> <form action="<wiki:Variable var="baseURL"/>Login.jsp" accept-charset="UTF-8" method="post" > <b>Login</b><br /> <input type="hidden" name="page" value="<wiki:Variable var="pagename"/>" /> Username: <input type="text" name="uid" size="8" /> <br /> Password: <input type="password" name="passwd" size="8" /> <br /> <input type="submit" name="action" value="login" /> </form> </wiki:UserCheck> <wiki:UserCheck status="validated"> <form action="<wiki:Variable var="baseURL"/>Login.jsp" accept-charset="UTF-8"> <p> <input type="hidden" name="page" value="<wiki:Variable var="pagename"/>" /> <input type="submit" name="action" value="logout" /> </p> </form> <hr /> </wiki:UserCheck> </div>
Put this in DefaultPermissions.txt:
[{SET defaultpermissions='ALLOW view Guest;ALLOW edit KnownPerson;DENY edit Guest'}]
Create a KnownPerson.txt defining the members of group KnownPerson (separate multiple usernames with a comma and a space):
[{SET members='Pascal'}]
Restart Tomcat.
I have followed all the steps above and I'm redirect to the Loginbox.jsp. As a Guest user i should see the main page and I would have to log in just to edit any page. Am i right? Is anything wrong?
Does this work with 2.2.33?
--TM, 26-Feb-2006