spyhunter99 opened a new pull request, #449:
URL: https://github.com/apache/jspwiki/pull/449
Covers the following issues
- JSPWIKI-1176 Admin and Autenticated roles hard coded
- JSPWIKI-1249 Container based authentication, can't get admin permissions
- JSPWIKI-841 Container Managed Security Not Working
I have an IT test for this but it does not align with the current "IT"
module configuration (need number of tomcat conf changes and that doesn't
appear to be supported from the current setup).
The notes for testing/validating this...
To make container based authentication work, you need the following
jspwiki-custom.properties
jspwiki.loginModule.class =
org.apache.wiki.auth.login.WebContainerLoginModule
And then in jspwiki/WEB-INF/web.xml
change the login configuration to whatever you need, HTTP_BASIC,
HTTP_DIGEST or CLIENT-CERT, etc
or if you get your permissions/roles from elsewhere i.e. a servlet
filter, reverse proxy/keycloak auth, etc, do what you need to do
AND you need at least one of the following
Option A - assuming your desired role names for the wiki admin and user
roles/groups is different than the default.
And then in jspwiki/WEB-INF/web.xml
edit the roles for admin/authenticated users as needed to match your
setup
AND
in jspwiki.policy
find and replace "Admin" and "Authenticated" with your desired role for
admin level users or regular users
Option B - use the new aliasing mechanism
leave web.xml and the policy file as is (with regards to roles) and then
alias the roles using the following (or alter as described above) then
edit jspwiki-custom.properties
jspwiki.role.admin=wikiadmin
jspwiki.role.authenticated=wikiuser
whereby wikiadmin is the group/role you want for admin users and wikiuser is
the group/role you want for all authenticated users.
In addition, if you have extra roles defined somewhere that for some reason,
are not practical to put in web.xml, or maybe web.xml is read only, you can
tell jspwiki about them via
jspwiki-custom.properties
jspwiki.role.extraRoles=role1,role2,
This use case is primarily for page level permissions enforcement... i.e.
[ALLOW edit role1]
[ALLOW view role1]
etc.
Whereby those roles aren't mentioned anywhere in the web.xml or policy file
but are provided from outside of jspwiki (i.e. container based auth).
Unfortunately i was unable to make this dynamic due to a number of technical
issues, namely the design of internal APIs prohibit this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
