[jira] [Commented] (JSPWIKI-1249) Container based authentication, can't get admin permissions

Sun, 14 Dec 2025 09:05:11 -0800 


    [ 
https://issues.apache.org/jira/browse/JSPWIKI-1249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18044991#comment-18044991
 ] 

ASF subversion and git services commented on JSPWIKI-1249:
----------------------------------------------------------

Commit 3498eda383aeb735f0a4d51daf9619f40d263bfa in jspwiki's branch 
refs/heads/master from Alex O'Ree
[ https://gitbox.apache.org/repos/asf?p=jspwiki.git;h=3498eda38 ]

JSPWIKI-1176 potential fix
JSPWIKI-1249 potential fix
JSPWIKI-841 potential fix


> Container based authentication, can't get admin permissions
> -----------------------------------------------------------
>
>                 Key: JSPWIKI-1249
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1249
>             Project: JSPWiki
>          Issue Type: Bug
>            Reporter: Alex O'Ree
>            Assignee: Alex O'Ree
>            Priority: Major
>
> related to JSPWIKI-841 and JSPWIKI-1176 but this is different.
> All attach all the configuration files and the branch i'm working on but 
> basically i have the following configuration
>  * Tomcat hosted JSPWiki
>  * Tomcat users xml file has the following groups
>  ** wikiadmin
>  ** wikiusers
>  * Tomcat users xml file has the following users
>  ** jspadmin in wikiadmin,wikiusers
>  ** jspuser in wikiusers
>  * JSPWiki web.xml
>  ** set for HTTP_BASIC authentication
>  ** the roles for Admin were all changed to wikiadmin
>  ** the roles for Authenticated were changed to wikiuser
>  * JSPWiki Policy file was changed from AllPermsions: Admin to 
> AllPermissions: wikiadmin (which made no difference)
> So my goal is to get admin privileges without using the "Admin" group/role by 
> renaming it. This has failed.
> I've also added a new jspwiki property for providing an aliasing mechanism 
> for externally defined roles to the "Admin" jspwiki role. I can see it 
> getting attached to the user however i still not able to get the delete 
> permission anywhere.
>  
> This might be caused by the DefaultAuthorizationManager#allowedByLocalPolicy 
> which calls from jdk api but I can't seem to figure out what's going on here.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to