[
https://issues.apache.org/jira/browse/JSPWIKI-1176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex O'Ree resolved JSPWIKI-1176.
---------------------------------
Fix Version/s: 3.0.0
Resolution: Fixed
notes from the PR
Covers the following issues
* JSPWIKI-1176 Admin and Autenticated roles hard coded
* JSPWIKI-1249 Container based authentication, can't get admin permissions
* JSPWIKI-841 Container Managed Security Not Working
I have an IT test for this but it does not align with the current "IT" module
configuration (need number of tomcat conf changes and that doesn't appear to be
supported from the current setup).
The notes for testing/validating this...
To make container based authentication work, you need the following
jspwiki-custom.properties
jspwiki.loginModule.class = org.apache.wiki.auth.login.WebContainerLoginModule
And then in jspwiki/WEB-INF/web.xml
change the login configuration to whatever you need, HTTP_BASIC, HTTP_DIGEST or
CLIENT-CERT, etc
or if you get your permissions/roles from elsewhere i.e. a servlet filter,
reverse proxy/keycloak auth, etc, do what you need to do
AND you need at least one of the following
Option A - assuming your desired role names for the wiki admin and user
roles/groups is different than the default.
And then in jspwiki/WEB-INF/web.xml
edit the roles for admin/authenticated users as needed to match your setup
AND
in jspwiki.policy
find and replace "Admin" and "Authenticated" with your desired role for admin
level users or regular users
Option B - use the new aliasing mechanism
leave web.xml and the policy file as is (with regards to roles) and then alias
the roles using the following (or alter as described above) then
edit jspwiki-custom.properties
jspwiki.role.admin=wikiadmin
jspwiki.role.authenticated=wikiuser
whereby wikiadmin is the group/role you want for admin users and wikiuser is
the group/role you want for all authenticated users.
In addition, if you have extra roles defined somewhere that for some reason,
are not practical to put in web.xml, or maybe web.xml is read only, you can
tell jspwiki about them via
jspwiki-custom.properties
jspwiki.role.extraRoles=role1,role2,
This use case is primarily for page level permissions enforcement... i.e.
[ALLOW edit role1]
[ALLOW view role1]
etc.
Whereby those roles aren't mentioned anywhere in the web.xml or policy file but
are provided from outside of jspwiki (i.e. container based auth). Unfortunately
i was unable to make this dynamic due to a number of technical issues, namely
the design of internal APIs prohibit this.
> Admin and Autenticated roles hard coded
> ---------------------------------------
>
> Key: JSPWIKI-1176
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1176
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication & Authorization
> Affects Versions: 2.11.3
> Environment: wildfly-26.1.2.Final
> Reporter: Jürgen Weber
> Assignee: Alex O'Ree
> Priority: Minor
> Labels: pull-request-available
> Fix For: 3.0.0
>
> Attachments: image-2025-10-30-10-46-44-578.png
>
>
> With container manged auth in JBoss EAP I had changed the Admin and
> Autenticated role names to role names from our AD.
> (changed jspwiki.policy and web.xml)
> Login and trying to edit failed then with the infamous Sorry, but you are not
> allowed to do that error page.
> I then used a JBoss role mapper from our roles to Admin and Autenticated and
> things worked.
> Looks like the Admin and Autenticated roles are somewhere hard coded (in .js
> ?).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
