I'm researching a fix for referenced issue whereby it appears as if - specific roles are hard coded - all roles need to be defined in web.xml which isn't always feasible - jspwiki roles need to match exactly that of roles defined in external user attributes providers, such as LDAP, Keycloak, etc
I was able to alias external roles to internal roles, but I'm not entirely sure where the user's roles need to be attached to in order to make the check permissions result be accurate. In the WikiSession class, we have a subject (which has it's own roles/principles), a login principle and a user principle and it's not clear how these are actually used to check permissions. It looks like at least some of the checks are done via built in JDK apis, others are done via a 3rd party library. Could use some guidance on this by whomever wrote this (probably Juan)
