This page describes how to set up some simple access control scenarios, using the [new security features|Security 2.3] of JSPWiki version 2.3.


!!!Controlling Access to Pages
!!Creating a Page Access Control List
Suppose you've got a page that you'd like to restrict access to. You've got a page called {{TestSocialCommittee}}, and you'd like to lock it down so that only the {{SocialCommittee}} wiki group can access it. Here's how to do it.

First, make sure you've created a wiki profile. Create a user with these properties:
* login name: arj
* wiki name: AndrewJaquith
* full name: Andrew Jaquith 

Next, once you've logged in as {{arj}}, create a new wiki group by clicking on the "create group" link. Give the group these properties:
* group name: SocialCommittee
* members: Andrew Jaquith

After you save the group, it will be saved to a page called {{GroupSocialCommittee}}. You can verify that it added the correct wiki markup to this page by opening the page {{GroupSocialCommittee}} and clicking on the "edit page" link. You should see this content:
{{{[{ALLOW edit SocialCommittee}]
[{SET members='AndrewJaquith'}]
This is a wiki group. Edit this page to see its members.}}}

So far so good; we've created the group we need. Now we create our test page and add an ACL to it. Edit the URL at the top of the page so that the right-most part of it reads {{/Edit.jsp?page=TestSocialCommittee}}. You should see the editor page, with an empty page (blank content). Add the following text:
{{{[{ALLOW view SocialCommittee}]
Only the group SocialCommittee can see this.}}}

Now log out. Try navigating to the {{TestSocialCommittee}} page. Access to the page will be denied, and you will be prompted to log in.

Log in. Try Navigating to {{TestSocialCommittee}} again. You should see the text: {{Only the group SocialCommittee can see this.}}.

So there you have it.


I have a group page with the following:
[{ALLOW edit Project-XPTO}]
[{SET members='User1'}]
[{SET members='User2'}]
I also have another group, with a different name :), but with the same ACL. The thing is that the User2 can access to only one of the groups. I, User1, can access to both groups... also if I change order, or just put one of us it never works for User2. The wiki log just says:
{{{... forbidden (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission",...}}}

Edit permission does not imply "view" permission.  So you need to add

"[{ALLOW view All}]" on your page.  Once there is any kind of access  restriction on the page, any defaults from jspwiki.policy are gone.

!!Granting Expanded Default Privileges to a Wiki Group
Releases 2.3.83 and higher of JSPWiki include the ability to grant permissions to wiki groups, in addition to (or as a substitute for) entries in each page access control lists.

For example, you can grant edit privileges on the page Main of wiki MyWiki to the group {{SocialCommittee}} by modifying your {{jspwiki.policy}} file as follows:
{{{grant signedBy "jspwiki" 
  principal com.ecyrd.jspwiki.auth.GroupPrincipal "SocialCommittee" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "MyWiki:Main", "edit";

You can grant permission to collections of pages, too. Here's a permission that allows editing for any page on MyWiki with the prefix "SocialCommittee":
{{{    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "MyWiki:SocialCommittee*", "edit";}}}

!!Designating an Administrator Group
JSPWiki ships by default without a designated wiki administrator account. But it's easy to grant administrative privileges to a user or wiki group. For example, to specify user {{Janne}} as the administrator of MyWiki, add this grant-block to your {{jspwiki.policy}} file:
{{{grant signedBy "jspwiki"
  principal "Janne" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "MyWiki";

Likewise, you can grant administrative privileges to a wiki group called "WikiAdmins" as follows:
{{{grant signedBy "jspwiki"
  principal com.ecyrd.jspwiki.auth.GroupPrincipal "WikiAdmins" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki";

Be careful when you create an administrator group; you should ''always'' protect the group page for your administrator group with an ACL that prevents the page from being changed by anyone other than members of the group itself. For example, the ACL for page {{GroupWikiAdmins}} should contain something like this:
{{{[{ALLOW edit GroupWikiAdmins}]}}}
This will prevent ordinary users (who may have been granted the ability to edit wiki groups elsewhere in the security policy) from adding themselves to this group, and thereby elevating their privileges.


!!!Checklist for container-managed authentication
You can find an example checklist for a specific environment
[Checklist for container-managed authentication]