This page describes how to set up some simple access control scenarios, using the new security features of JSPWiki version 2.3.

Controlling Access to Pages#

Creating a Page Access Control List#

Suppose you've got a page that you'd like to restrict access to. You've got a page called TestSocialCommittee, and you'd like to lock it down so that only the SocialCommittee wiki group can access it. Here's how to do it.

First, make sure you've created a wiki profile. Create a user with these properties:

  • login name: arj
  • wiki name: AndrewJaquith
  • full name: Andrew Jaquith

Next, once you've logged in as arj, create a new wiki group by clicking on the "create group" link. Give the group these properties:

After you save the group, it will be saved to a page called GroupSocialCommittee. You can verify that it added the correct wiki markup to this page by opening the page GroupSocialCommittee and clicking on the "edit page" link. You should see this content:

[{ALLOW edit SocialCommittee}]
[{SET members='AndrewJaquith'}]
This is a wiki group. Edit this page to see its members.

So far so good; we've created the group we need. Now we create our test page and add an ACL to it. Edit the URL at the top of the page so that the right-most part of it reads /Edit.jsp?page=TestSocialCommittee. You should see the editor page, with an empty page (blank content). Add the following text:

[{ALLOW view SocialCommittee}]
Only the group SocialCommittee can see this.

Now log out. Try navigating to the TestSocialCommittee page. Access to the page will be denied, and you will be prompted to log in.

Log in. Try Navigating to TestSocialCommittee again. You should see the text: Only the group SocialCommittee can see this..

So there you have it.

Problems#

I have a group page with the following:

[{ALLOW edit Project-XPTO}]
[{SET members='User1'}]
[{SET members='User2'}]
I also have another group, with a different name :), but with the same ACL. The thing is that the User2 can access to only one of the groups. I, User1, can access to both groups... also if I change order, or just put one of us it never works for User2. The wiki log just says:
... forbidden (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission",...
--Adler

Edit permission does not imply "view" permission. So you need to add

"" on your page. Once there is any kind of access restriction on the page, any defaults from jspwiki.policy are gone. /Janne

Granting Expanded Default Privileges to a Wiki Group#

Releases 2.3.83 and higher of JSPWiki include the ability to grant permissions to wiki groups, in addition to (or as a substitute for) entries in each page access control lists.

For example, you can grant edit privileges on the page Main of wiki MyWiki to the group SocialCommittee by modifying your jspwiki.policy file as follows:

grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.GroupPrincipal "SocialCommittee" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "MyWiki:Main", "edit";
};

You can grant permission to collections of pages, too. Here's a permission that allows editing for any page on MyWiki with the prefix "SocialCommittee":

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "MyWiki:SocialCommittee*", "edit";

Designating an Administrator Group#

JSPWiki ships by default without a designated wiki administrator account. But it's easy to grant administrative privileges to a user or wiki group. For example, to specify user Janne as the administrator of MyWiki, add this grant-block to your jspwiki.policy file:
grant signedBy "jspwiki"
  principal "Janne" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "MyWiki";
};

Likewise, you can grant administrative privileges to a wiki group called "WikiAdmins" as follows:

grant signedBy "jspwiki"
  principal com.ecyrd.jspwiki.auth.GroupPrincipal "WikiAdmins" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki";
};

Be careful when you create an administrator group; you should always protect the group page for your administrator group with an ACL that prevents the page from being changed by anyone other than members of the group itself. For example, the ACL for page GroupWikiAdmins should contain something like this:

[{ALLOW edit GroupWikiAdmins}]
This will prevent ordinary users (who may have been granted the ability to edit wiki groups elsewhere in the security policy) from adding themselves to this group, and thereby elevating their privileges.

CategoryDocumentation

Checklist for container-managed authentication#

You can find an example checklist for a specific environment
  • linux
  • tomcat
here: Checklist for container-managed authentication

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-21) was last changed on 29-Jun-2006 11:44 by PJ Adler