Hi! Since I'm mentioned, I did not write the authorization/authentication part, IIRC, that was written mostly by Andrew Jarquith and/or Janne Jalkannen (JSPWiki's creator). As of today, both of them are inactive.
These parts also rely on the freshcookies library, which was also written by Andrew, and has neither source or javadoc at central, so the only way to look at that code is by decompiling it. I'd start looking at the AuthenticationManager, and start fishing from there, I think the role attachment is done at the different LoginModule level, but I don't have the code in front of me right now, so I'm not 100% sure about that. HTH, juan pablo El jue, 30 oct 2025, 17:46, Alex O'Ree <[email protected]> escribió: > I'm researching a fix for referenced issue whereby it appears as if > - specific roles are hard coded > - all roles need to be defined in web.xml which isn't always feasible > - jspwiki roles need to match exactly that of roles defined in external > user attributes providers, such as LDAP, Keycloak, etc > > I was able to alias external roles to internal roles, but I'm not entirely > sure where the user's roles need to be attached to in order to make the > check permissions result be accurate. In the WikiSession class, we have a > subject (which has it's own roles/principles), a login principle and a user > principle and it's not clear how these are actually used to check > permissions. It looks like at least some of the checks are done via built > in JDK apis, others are done via a 3rd party library. > > Could use some guidance on this by whomever wrote this (probably Juan) >
