[
https://issues.apache.org/jira/browse/JSPWIKI-841?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14004673#comment-14004673
]
Owen Farrell commented on JSPWIKI-841:
--------------------------------------
So I went down that road before, and the issue I had (and am now re-having by
replacing security) is that JSPWiki looses the concept of my session. Below is
the DEBUG output from my JSPWiki log from Tomcat's HTTP request threads.
>From the main page, I clicked login (the first set of log statements). Then I
>submitted my credentials (the second set of log statements). But my session ID
>changed. So I'm never actually logged in.
*Request Login.jsp?redirect=Main*
{quote}
2014-05-21 13:39:05,668 [http-apr-8080-exec-114] DEBUG
org.apache.wiki.auth.SessionMonitor - Looking up WikiSession for session
ID=D856B51B1389AC51332ACDBA9C51ECE4... not found. Creating guestSession()
2014-05-21 13:39:05,668 [http-apr-8080-exec-114] DEBUG
org.apache.wiki.WikiContext - Creating WikiContext for session
ID=D856B51B1389AC51332ACDBA9C51ECE4; target=Login
2014-05-21 13:39:05,668 [http-apr-8080-exec-114] DEBUG JSPWiki - Login
template content is: /templates/default/ViewTemplate.jsp
2014-05-21 13:39:05,668 [http-apr-8080-exec-114] DEBUG
org.apache.wiki.auth.SessionMonitor - Looking up WikiSession for session
ID=D856B51B1389AC51332ACDBA9C51ECE4... found it
{quote}
*Submit Credentials*
{quote}
2014-05-21 13:39:09,059 [http-apr-8080-exec-106] DEBUG
org.apache.wiki.auth.SessionMonitor - Looking up WikiSession for session
ID=473C1FBBE2357D630D501DC3C06B2745... not found. Creating guestSession()
2014-05-21 13:39:09,059 [http-apr-8080-exec-106] DEBUG
org.apache.wiki.WikiContext - Creating WikiContext for session
ID=473C1FBBE2357D630D501DC3C06B2745; target=Login
2014-05-21 13:39:09,059 [http-apr-8080-exec-106] DEBUG JSPWiki - Login
template content is: /templates/default/ViewTemplate.jsp
2014-05-21 13:39:09,059 [http-apr-8080-exec-106] DEBUG
org.apache.wiki.auth.SessionMonitor - Looking up WikiSession for session
ID=473C1FBBE2357D630D501DC3C06B2745... found it
{quote}
Is there any correlation between the JSPWiki session ID and the JSESSIONID
assigned by a container?
> Container Managed Security Not Working
> --------------------------------------
>
> Key: JSPWIKI-841
> URL: https://issues.apache.org/jira/browse/JSPWIKI-841
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication & Authorization
> Affects Versions: 2.10
> Environment: Tomcat 7.0.42
> Java 1.7.0_51
> Windows 2008R2
> Reporter: Owen Farrell
> Fix For: 2.10.1
>
>
> In order to set up container-managed security, I've set set jspwiki.security
> to 'off' and uncommented the security constraints defined in the deployment
> descriptor.
> However, by setting jspwiki.security to off, no AuthorizationManager
> registers itself with the WikiEngine. As a result, all logins fail with the
> following exception:
> {quote}
> INFO SecurityLog JSPWiki:/wiki/Edit.jsp -
> WikiSecurityEvent.LOGIN_AUTHENTICATED
> [source=org.apache.wiki.auth.AuthenticationManager@1c42c135,
> princpal=org.apache.catalina.realm.GenericPrincipal ofarrell,
> target=org.apache.wiki.WikiSession@1708e9ad]
> WARN org.apache.wiki.WikiSession JSPWiki:/wiki/Edit.jsp - User profile
> 'ofarrell' not found. This is normal for container-auth users who haven't set
> up a profile yet.
> org.apache.wiki.auth.WikiSecurityException: Authorizer did not initialize
> properly. Check the logs.
> at
> org.apache.wiki.auth.AuthorizationManager.getAuthorizer(AuthorizationManager.java:336)
> at
> org.apache.wiki.auth.AuthenticationManager.login(AuthenticationManager.java:312)
> at
> org.apache.wiki.ui.WikiServletFilter.doFilter(WikiServletFilter.java:159)
> {quote}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
