Author: ajaquith
Date: Fri Feb 26 05:17:18 2010
New Revision: 916571
URL: http://svn.apache.org/viewvc?rev=916571&view=rev
Log:
Slight tweaks to the admin pages, which are being re-organized. Security config
is now one of the tabs on Admin.jsp. User management partially re-worked but
not yet functional.
Removed:
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/UserManagement.jsp
Modified:
incubator/jspwiki/trunk/ChangeLog
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/Admin.jsp
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Security.jsp
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Users.jsp
incubator/jspwiki/trunk/src/java/org/apache/wiki/Release.java
incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java
incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdministerProfilesActionBean.java
Modified: incubator/jspwiki/trunk/ChangeLog
URL:
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/ChangeLog?rev=916571&r1=916570&r2=916571&view=diff
==============================================================================
--- incubator/jspwiki/trunk/ChangeLog (original)
+++ incubator/jspwiki/trunk/ChangeLog Fri Feb 26 05:17:18 2010
@@ -1,5 +1,15 @@
2010-02-23 Andrew Jaquith <ajaquith AT apache DOT org>
+ * 3.0.0-svn-209
+
+ * Moved top-level Error.jsp into the templates directory.
+
+ * Slight tweaks to the admin pages, which are being re-organized.
+ Security config is now one of the tabs on Admin.jsp. User
+ management partially re-worked but not yet functional.
+
+2010-02-23 Andrew Jaquith <ajaquith AT apache DOT org>
+
* 3.0.0-svn-208
* Useful tweaks to the AJAX-related Stripes JavaScript. The
Modified:
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/Admin.jsp
URL:
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/WebContent/templates/default/admin/Admin.jsp?rev=916571&r1=916570&r2=916571&view=diff
==============================================================================
--- incubator/jspwiki/trunk/src/WebContent/templates/default/admin/Admin.jsp
(original)
+++ incubator/jspwiki/trunk/src/WebContent/templates/default/admin/Admin.jsp
Fri Feb 26 05:17:18 2010
@@ -21,7 +21,7 @@
<%@ taglib uri="http://jakarta.apache.org/jspwiki.tld"; prefix="wiki" %>
<%@ taglib uri="http://stripes.sourceforge.net/stripes.tld"; prefix="s" %>
<%@ page import="org.apache.wiki.WikiContext" %>
-<%@ page errorPage="/Error.jsp" %>
+<%@ page errorPage="${templates['Error.jsp']}" %>
<s:layout-render name="${templates['layout/DefaultLayout.jsp']}">
<s:layout-component name="headTitle">
@@ -39,9 +39,12 @@
<wiki:TabbedSection defaultTab="${param['tab']}">
- <wiki:Tab id="users" title="Users">
- <jsp:include page="admin/UserManagement.jsp" />
+ <wiki:Tab id="security" title="Security">
+ <jsp:include page="${templates['admin/tabs/Security.jsp']}" />
</wiki:Tab>
+
+ <wiki:Tab id="users" title="Users"
+ beanclass="org.apache.wiki.action.AdministerProfilesActionBean" />
<wiki:Tab id="groups" title="Groups">
<div>
Modified:
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Security.jsp
URL:
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Security.jsp?rev=916571&r1=916570&r2=916571&view=diff
==============================================================================
---
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Security.jsp
(original)
+++
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Security.jsp
Fri Feb 26 05:17:18 2010
@@ -23,208 +23,194 @@
<%@ taglib uri="http://jakarta.apache.org/jspwiki.tld"; prefix="wiki" %>
<%@ taglib uri="http://stripes.sourceforge.net/stripes.tld"; prefix="s" %>
<%@ page import="org.apache.wiki.auth.SecurityVerifier" %>
-<%@ page errorPage="/Error.jsp" %>
-<s:layout-render name="${templates['layout/StaticLayout.jsp']}">
+<%@ page errorPage="${templates['Error.jsp']}" %>
+<h1>JSPWiki Security Configuration Verifier</h1>
- <s:layout-component name="headTitle">
- JSPWiki Security Configuration Verifier
- </s:layout-component>
-
- <s:layout-component name="pageTitle">
- JSPWiki Security Configuration Verifier
- </s:layout-component>
+<p>This page examines JSPWiki's security configuration and tries to determine
if it is working the way it should. Although JSPWiki comes configured with some
reasonable default configuration settings out of the box, it's not always
obvious what settings to change if you need to customize the security... and
sooner or later, just about everyone does.</p>
- <s:layout-component name="content">
- <h1>JSPWiki Security Configuration Verifier</h1>
-
- <p>This page examines JSPWiki's security configuration and tries to
determine if it is working the way it should. Although JSPWiki comes configured
with some reasonable default configuration settings out of the box, it's not
always obvious what settings to change if you need to customize the security...
and sooner or later, just about everyone does.</p>
-
- <p>This page is dynamically generated by JSPWiki. It examines the
authentication, authorization and security policy settings. When we think
something looks funny, we'll try to communicate what the issue might be, and
will make recommendations on how to fix the problem.</p>
-
- <p><strong>Please delete this JSP when you are finished troubleshooting
your system.
- This diagnostic data presented on this page do not represent a security
risk
- to your system <em>per se</em>, but they do provide a significant amount of
- contextual information that could be useful to an attacker. This page is
- currently unconstrained, which means that anyone can view it: nice people,
mean people
- and everyone in between. You have been warned. You can turn it off by
setting
- <pre>
- jspwiki-x.securityconfig.enable=false
- </pre>
- in your jspwiki.properties.
- </strong></p>
-
- <!--
- *********************************************
- **** A U T H E N T I C A T I O N ****
- *********************************************
- -->
- <h2>Authentication Configuration</h2>
- <!--
- *********************************************
- **** Container Authentication Verifier ****
- *********************************************
- -->
- <h3>Container-Managed Authentication</h3>
- <c:choose>
- <c:when
test="${wikiEngine.authenticationManager.containerAuthenticated}">
- <p>I see that you've configured container-managed authentication. Very
nice.</p>
- </c:when>
- <c:otherwise>
- <p>Container-managed authentication appears to be disabled, according
to your <code>WEB-INF/web.xml</code> file.</p>
- </c:otherwise>
- </c:choose>
-
- <!--
- *********************************************
- **** JAAS Authentication Config Verifier ****
- *********************************************
- -->
- <h3>JAAS Login Configuration</h3>
-
- <!-- Notify users which JAAS configs we need to find -->
- <p>JSPWiki wires up its own JAAS to define the authentication process, and
does not rely on the JRE configuration. By default, JSPWiki configures its JAAS
login stack to use the UserDatabaseLoginModule. You can specify a custom login
module by setting the <code>jspwiki.loginModule.class</code> property in
<code>jspwiki.properties</code>.</p>
-
- <wiki:Messages div="information"
topic='<%=SecurityVerifier.INFO+"java.security.auth.login.config"%>'
prefix="Good news: " />
- <wiki:Messages div="warning"
topic='<%=SecurityVerifier.WARNING+"java.security.auth.login.config"%>'
prefix="We found some potential problems with your configuration: " />
- <wiki:Messages div="error"
topic='<%=SecurityVerifier.ERROR+"java.security.auth.login.config"%>'
prefix="We found some errors with your configuration: " />
-
- <!-- Print JAAS configuration status -->
- <p>The JAAS login configuration is correctly configured if the
<code>jspwiki.loginModule.class</code> property specifies
- a class we can find on the classpath. This class must also be a
LoginModule implementation. We will check for both conditions.</p>
-
- <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_JAAS%>"
prefix="Good news: " />
- <wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_JAAS%>"
prefix="We found some potential problems with your configuration: " />
- <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_JAAS%>"
prefix="We found some errors with your configuration: " />
-
- <!--
- *********************************************
- **** A U T H O R I Z A T I O N ****
- *********************************************
- -->
- <h2>Authorization Configuration</h2>
-
- <!--
- *********************************************
- **** Container Authorization Verifier ****
- *********************************************
- -->
- <h3>Container-Managed Authorization</h3>
- <c:choose>
- <c:when
test="${wikiEngine.authenticationManager.containerAuthenticated}">
- <p>I see that you've configured container-managed authorization. Very
nice.</p>
- <p>Your <code>WEB-INF/web.xml</code> file defines the following
roles:</p>
- <ul>
- <c:forEach var="role"
items="${wikiActionBean.verifier.webContainerRoles}">
- <li>${role.name}</li>
- </c:forEach>
- </ul>
- <c:if test="${fn:length(wikiActionBean.verifier.webContainerRoles) ==
0}">
- <div class="error">Your <code>WEB-INF/web.xml</code> file does not
define any roles. This is an error.</div>
- </c:if>
- </c:when>
- <c:otherwise>
- <p>Container-managed authorization appears to be disabled, according
to your <code>WEB-INF/web.xml</code> file.</p>
- </c:otherwise>
- </c:choose>
-
- <!--
- *********************************************
- **** Java Security Policy Verifier ****
- *********************************************
- -->
- <h3>Security Policy</h3>
- <p>JSPWiki's authorizes user actions by consulting a standard Java 2
security policy file. By default, JSPWiki installs its local security policy
file at startup time. This policy file is independent of your global, JVM-wide
security policy, if you have one. When checking for authorization, JSPWiki
consults the global policy first, then the local policy.</p>
-
- <p>Let's validate the local security policy file. To do this, we parse
- the security policy and examine each <code>grant</code> block. If we see
- a <code>permission</code> entry that is signed, we verify that the
certificate
- alias exists in our keystore. The keystore itself must also exist in the
file system.
- And as an additional check, we will try to load each
<code>Permission</code> class into memory to verify that JSPWiki's classloader
can find them.</p>
-
- <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_POLICY%>"
prefix="Good news: " />
- <wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_POLICY%>"
prefix="We found some potential problems with your configuration: " />
- <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_POLICY%>"
prefix="We found some errors with your configuration: " />
-
- <c:if test="${wikiActionBean.verifier.securityPolicyConfigured}">
- <p>Note: JSPWiki's Policy file parser is stricter than the default
parser that ships with the JVM. If you encounter parsing errors, make sure you
have the correct comma and semicolon delimiters in your policy file
<code>grant</code> entries. The <code>grant</code> blocks must follow this
format:</p>
- <blockquote>
- <pre>grant signedBy "signer_names", codeBase "URL",
- principal principal_class_name "principal_name",
- principal principal_class_name "principal_name",
- ... {
-
- permission permission_class_name "target_name", "action";
- permission permission_class_name "target_name", "action";
- };</pre>
- </blockquote>
-
- <p>Note: JSPWiki versions prior to 2.4.6 accidentally omitted commas
after the <code>signedBy</code> entries, so you should fix this if you are
using a policy file based on a version earlier than 2.4.6.</p>
+<p>This page is dynamically generated by JSPWiki. It examines the
authentication, authorization and security policy settings. When we think
something looks funny, we'll try to communicate what the issue might be, and
will make recommendations on how to fix the problem.</p>
+
+<p><strong>Please delete this JSP when you are finished troubleshooting your
system.
+This diagnostic data presented on this page do not represent a security risk
+to your system <em>per se</em>, but they do provide a significant amount of
+contextual information that could be useful to an attacker. This page is
+currently unconstrained, which means that anyone can view it: nice people,
mean people
+and everyone in between. You have been warned. You can turn it off by setting
+<pre>
+ jspwiki-x.securityconfig.enable=false
+</pre>
+in your jspwiki.properties.
+</strong></p>
+
+<!--
+ *********************************************
+ **** A U T H E N T I C A T I O N ****
+ *********************************************
+-->
+<h2>Authentication Configuration</h2>
+<!--
+ *********************************************
+ **** Container Authentication Verifier ****
+ *********************************************
+-->
+<h3>Container-Managed Authentication</h3>
+<c:choose>
+ <c:when test="${wikiEngine.authenticationManager.containerAuthenticated}">
+ <p>I see that you've configured container-managed authentication. Very
nice.</p>
+ </c:when>
+ <c:otherwise>
+ <p>Container-managed authentication appears to be disabled, according to
your <code>WEB-INF/web.xml</code> file.</p>
+ </c:otherwise>
+</c:choose>
+
+<!--
+ *********************************************
+ **** JAAS Authentication Config Verifier ****
+ *********************************************
+-->
+<h3>JAAS Login Configuration</h3>
+
+<!-- Notify users which JAAS configs we need to find -->
+<p>JSPWiki wires up its own JAAS to define the authentication process, and
does not rely on the JRE configuration. By default, JSPWiki configures its JAAS
login stack to use the UserDatabaseLoginModule. You can specify a custom login
module by setting the <code>jspwiki.loginModule.class</code> property in
<code>jspwiki.properties</code>.</p>
+
+<wiki:Messages div="information"
topic='<%=SecurityVerifier.INFO+"java.security.auth.login.config"%>'
prefix="Good news: " />
+<wiki:Messages div="warning"
topic='<%=SecurityVerifier.WARNING+"java.security.auth.login.config"%>'
prefix="We found some potential problems with your configuration: " />
+<wiki:Messages div="error"
topic='<%=SecurityVerifier.ERROR+"java.security.auth.login.config"%>'
prefix="We found some errors with your configuration: " />
+
+<!-- Print JAAS configuration status -->
+<p>The JAAS login configuration is correctly configured if the
<code>jspwiki.loginModule.class</code> property specifies
+a class we can find on the classpath. This class must also be a LoginModule
implementation. We will check for both conditions.</p>
+
+<wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_JAAS%>"
prefix="Good news: " />
+<wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_JAAS%>"
prefix="We found some potential problems with your configuration: " />
+<wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_JAAS%>" prefix="We
found some errors with your configuration: " />
+
+<!--
+ *********************************************
+ **** A U T H O R I Z A T I O N ****
+ *********************************************
+-->
+<h2>Authorization Configuration</h2>
+
+<!--
+ *********************************************
+ **** Container Authorization Verifier ****
+ *********************************************
+-->
+<h3>Container-Managed Authorization</h3>
+<c:choose>
+ <c:when test="${wikiEngine.authenticationManager.containerAuthenticated}">
+ <p>I see that you've configured container-managed authorization. Very
nice.</p>
+ <p>Your <code>WEB-INF/web.xml</code> file defines the following roles:</p>
+ <ul>
+ <c:forEach var="role"
items="${wikiActionBean.verifier.webContainerRoles}">
+ <li>${role.name}</li>
+ </c:forEach>
+ </ul>
+ <c:if test="${fn:length(wikiActionBean.verifier.webContainerRoles) == 0}">
+ <div class="error">Your <code>WEB-INF/web.xml</code> file does not
define any roles. This is an error.</div>
</c:if>
-
- <h2>Access Control Validation</h2>
-
- <h3>Security Policy Restrictions</h3>
-
- <p>Now comes the <em>really</em> fun part. Using the current security
policy, we will test the PagePermissions each JSPWiki role possesses for a
range of pages. The roles we will test include the standard JSPWiki roles
(Authenticated, All, etc.) plus any others you may have listed in the security
policy. In addition to the PagePermissions, we will also test the
WikiPermissions. The results of these tests should tell you what behaviors you
can expect based on your security policy file. If we had problems finding,
parsing or verifying the policy file, these tests will likely fail.</p>
+ </c:when>
+ <c:otherwise>
+ <p>Container-managed authorization appears to be disabled, according to
your <code>WEB-INF/web.xml</code> file.</p>
+ </c:otherwise>
+</c:choose>
+
+<!--
+ *********************************************
+ **** Java Security Policy Verifier ****
+ *********************************************
+-->
+<h3>Security Policy</h3>
+<p>JSPWiki's authorizes user actions by consulting a standard Java 2 security
policy file. By default, JSPWiki installs its local security policy file at
startup time. This policy file is independent of your global, JVM-wide security
policy, if you have one. When checking for authorization, JSPWiki consults the
global policy first, then the local policy.</p>
+
+<p>Let's validate the local security policy file. To do this, we parse
+the security policy and examine each <code>grant</code> block. If we see
+a <code>permission</code> entry that is signed, we verify that the certificate
+alias exists in our keystore. The keystore itself must also exist in the file
system.
+And as an additional check, we will try to load each <code>Permission</code>
class into memory to verify that JSPWiki's classloader can find them.</p>
+
+<wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_POLICY%>"
prefix="Good news: " />
+<wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_POLICY%>"
prefix="We found some potential problems with your configuration: " />
+<wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_POLICY%>"
prefix="We found some errors with your configuration: " />
+
+<c:if test="${wikiActionBean.verifier.securityPolicyConfigured}">
+ <p>Note: JSPWiki's Policy file parser is stricter than the default parser
that ships with the JVM. If you encounter parsing errors, make sure you have
the correct comma and semicolon delimiters in your policy file
<code>grant</code> entries. The <code>grant</code> blocks must follow this
format:</p>
+ <blockquote>
+ <pre>grant signedBy "signer_names", codeBase "URL",
+ principal principal_class_name "principal_name",
+ principal principal_class_name "principal_name",
+ ... {
+
+ permission permission_class_name "target_name", "action";
+ permission permission_class_name "target_name", "action";
+};</pre>
+ </blockquote>
+
+ <p>Note: JSPWiki versions prior to 2.4.6 accidentally omitted commas after
the <code>signedBy</code> entries, so you should fix this if you are using a
policy file based on a version earlier than 2.4.6.</p>
+</c:if>
+
+<h2>Access Control Validation</h2>
+
+<h3>Security Policy Restrictions</h3>
- <p>The colors in each cell show the results of the test. <font
style="background-color: #c0ffc0;"> Green </font> means success;
<font style="background-color: #ffc0c0;"> red </font> means failure.
Hovering over a role name or individual cell will display more detailed
information about the role or test.</p>
+<p>Now comes the <em>really</em> fun part. Using the current security policy,
we will test the PagePermissions each JSPWiki role possesses for a range of
pages. The roles we will test include the standard JSPWiki roles
(Authenticated, All, etc.) plus any others you may have listed in the security
policy. In addition to the PagePermissions, we will also test the
WikiPermissions. The results of these tests should tell you what behaviors you
can expect based on your security policy file. If we had problems finding,
parsing or verifying the policy file, these tests will likely fail.</p>
- ${wikiActionBean.verifier.policyRoleTable}
+<p>The colors in each cell show the results of the test. <font
style="background-color: #c0ffc0;"> Green </font> means success;
<font style="background-color: #ffc0c0;"> red </font> means failure.
Hovering over a role name or individual cell will display more detailed
information about the role or test.</p>
- <div class="information">Important: these tests do not take into account
any page-level access control lists. Page ACLs, if they exist, will contrain
access further than what is shown in the table.
- <c:if test="${wikiEngine.authenticationManager.containerAuthenticated}">
+${wikiActionBean.verifier.policyRoleTable}
+
+<div class="information">Important: these tests do not take into account any
page-level access control lists. Page ACLs, if they exist, will contrain access
further than what is shown in the table.
+ <c:if test="${wikiEngine.authenticationManager.containerAuthenticated}">
In addition, because you are using container-managed security, constraints on
user activities might be stricter than what is shown in this table. If the
container requires that users accessing <code>Edit.jsp</code> possess the
container role "Admin," for example, this will override an "edit"
PagePermission granted to role "Authenticated." See below.
- </c:if>
- </div>
+ </c:if>
+</div>
- <c:if test="${wikiEngine.authenticationManager.containerAuthenticated}">
- <h3>Web Container Restrictions</h3>
+<c:if test="${wikiEngine.authenticationManager.containerAuthenticated}">
+ <h3>Web Container Restrictions</h3>
- <p>Here is how your web container will control role-based access to some
common JSPWiki actions and their assocated JSPs. These restrictions will be
enforced even if your Java security policy is more permissive.</p>
-
- <p>The colors in each cell show the results of the test. <font
style="background-color: #c0ffc0;"> Green </font> means success;
<font style="background-color: #ffc0c0;"> red </font> means
failure.</p>
-
- <!-- Print table showing role restrictions by JSP -->
- ${wikiActionBean.verifier.containerRoleTable}
-
- <div class="information">Important: these tests do not take into account
any page-level access control lists. Page ACLs, if they exist, will contrain
access further than what is shown in the table.</div>
-
- <!-- Remind the admin their container needs to return the roles -->
- <p>Note that your web container will allow access to these pages
<em>only</em> if your container's authentication realm returns these roles:</p>
- <ul>
- <c:forEach var="role"
items="${wikiActionBean.verifier.webContainerRoles}">
- <li>${role.name}</li>
- </c:forEach>
- </ul>
- <p>If your container's realm returns other role names, users won't be
able to access the pages they should be allowed to see -- because the role
names don't match. In that case, You should adjust the
<code><role-name></code> entries in <code>web.xml</code> appropriately to
match the role names returned by your container's authorization realm.</p>
-
- <p>Now we are going to compare the roles listed in your security policy
with those from your <code>web.xml</code> file. The ones we care about are
those that aren't built-in roles like "All", "Anonymous", "Authenticated" or
"Asserted". If your policy shows roles other than these, we need to make sure
your container knows about them, too. Container roles are defined in
<code>web.xml</code> in blocks such as these:</p>
- <blockquote><pre><security-role>
- <description>
- This logical role includes all administrative users
- </description>
- <role-name>Admin</role-name>
- </security-role></pre></blockquote>
-
- <wiki:Messages div="information"
topic="<%=SecurityVerifier.INFO_ROLES%>" prefix="Good news: " />
- <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_ROLES%>"
prefix="We found some errors with your configuration: " />
- </c:if>
-
- <h2>User and Group Databases</h2>
-
- <h3>User Database Configuration</h3>
- <p>The user database stores user profiles. It's pretty important that it
functions properly. We will try to determine what your current UserDatabase
implementation is, based on the current value of the
<code>jspwiki.userdatabase</code> property in your
<code>jspwiki.properties</code> file. In addition, once we establish that the
UserDatabase has been initialized properly, we will try to add (then, delete) a
random test user. If all of these things work they way they should, then you
should have no problems with user self-registration.</p>
-
- <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_DB%>"
prefix="Good news: " />
- <wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_DB%>"
prefix="We found some potential problems with your configuration: " />
- <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_DB%>"
prefix="We found some errors with your configuration: " />
-
- <h3>Group Database Configuration</h3>
- <p>The group database stores wiki groups. It's pretty important that it
functions properly. We will try to determine what your current GroupDatabase
implementation is, based on the current value of the
<code>jspwiki.groupdatabase</code> property in your
<code>jspwiki.properties</code> file. In addition, once we establish that the
GroupDatabase has been initialized properly, we will try to add (then, delete)
a random test group. If all of these things work they way they should, then you
should have no problems with wiki group creation and editing.</p>
-
- <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_GROUPS%>"
prefix="Good news: " />
- <wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_GROUPS%>"
prefix="We found some potential problems with your configuration: " />
- <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_GROUPS%>"
prefix="We found some errors with your configuration: " />
- </s:layout-component>
+ <p>Here is how your web container will control role-based access to some
common JSPWiki actions and their assocated JSPs. These restrictions will be
enforced even if your Java security policy is more permissive.</p>
+
+ <p>The colors in each cell show the results of the test. <font
style="background-color: #c0ffc0;"> Green </font> means success;
<font style="background-color: #ffc0c0;"> red </font> means
failure.</p>
+
+ <!-- Print table showing role restrictions by JSP -->
+ ${wikiActionBean.verifier.containerRoleTable}
+
+ <div class="information">Important: these tests do not take into account any
page-level access control lists. Page ACLs, if they exist, will contrain access
further than what is shown in the table.</div>
+
+ <!-- Remind the admin their container needs to return the roles -->
+ <p>Note that your web container will allow access to these pages
<em>only</em> if your container's authentication realm returns these roles:</p>
+ <ul>
+ <c:forEach var="role" items="${wikiActionBean.verifier.webContainerRoles}">
+ <li>${role.name}</li>
+ </c:forEach>
+ </ul>
+ <p>If your container's realm returns other role names, users won't be able
to access the pages they should be allowed to see -- because the role names
don't match. In that case, You should adjust the <code><role-name></code>
entries in <code>web.xml</code> appropriately to match the role names returned
by your container's authorization realm.</p>
-</s:layout-render>
+ <p>Now we are going to compare the roles listed in your security policy with
those from your <code>web.xml</code> file. The ones we care about are those
that aren't built-in roles like "All", "Anonymous", "Authenticated" or
"Asserted". If your policy shows roles other than these, we need to make sure
your container knows about them, too. Container roles are defined in
<code>web.xml</code> in blocks such as these:</p>
+ <blockquote><pre><security-role>
+<description>
+ This logical role includes all administrative users
+</description>
+<role-name>Admin</role-name>
+</security-role></pre></blockquote>
+
+ <wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_ROLES%>"
prefix="Good news: " />
+ <wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_ROLES%>"
prefix="We found some errors with your configuration: " />
+</c:if>
+
+<h2>User and Group Databases</h2>
+
+<h3>User Database Configuration</h3>
+<p>The user database stores user profiles. It's pretty important that it
functions properly. We will try to determine what your current UserDatabase
implementation is, based on the current value of the
<code>jspwiki.userdatabase</code> property in your
<code>jspwiki.properties</code> file. In addition, once we establish that the
UserDatabase has been initialized properly, we will try to add (then, delete) a
random test user. If all of these things work they way they should, then you
should have no problems with user self-registration.</p>
+
+<wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_DB%>"
prefix="Good news: " />
+<wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_DB%>"
prefix="We found some potential problems with your configuration: " />
+<wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_DB%>" prefix="We
found some errors with your configuration: " />
+
+<h3>Group Database Configuration</h3>
+<p>The group database stores wiki groups. It's pretty important that it
functions properly. We will try to determine what your current GroupDatabase
implementation is, based on the current value of the
<code>jspwiki.groupdatabase</code> property in your
<code>jspwiki.properties</code> file. In addition, once we establish that the
GroupDatabase has been initialized properly, we will try to add (then, delete)
a random test group. If all of these things work they way they should, then you
should have no problems with wiki group creation and editing.</p>
+
+<wiki:Messages div="information" topic="<%=SecurityVerifier.INFO_GROUPS%>"
prefix="Good news: " />
+<wiki:Messages div="warning" topic="<%=SecurityVerifier.WARNING_GROUPS%>"
prefix="We found some potential problems with your configuration: " />
+<wiki:Messages div="error" topic="<%=SecurityVerifier.ERROR_GROUPS%>"
prefix="We found some errors with your configuration: " />
Modified:
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Users.jsp
URL:
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Users.jsp?rev=916571&r1=916570&r2=916571&view=diff
==============================================================================
---
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Users.jsp
(original)
+++
incubator/jspwiki/trunk/src/WebContent/templates/default/admin/tabs/Users.jsp
Fri Feb 26 05:17:18 2010
@@ -18,126 +18,43 @@
specific language governing permissions and limitations
under the License.
--%>
-<%@ page import="java.util.*" %>
-<%@ page import="org.apache.wiki.*" %>
-<%@ page import="org.apache.wiki.rpc.json.*" %>
-<%@ page import="org.apache.wiki.ui.admin.*" %>
-<%@ page errorPage="/Error.jsp" %>
-<%@ taglib uri="http://jakarta.apache.org/jspwiki.tld"; prefix="wiki" %>
-<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt"; prefix="fmt" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt"; prefix="fmt" %>
+<%@ taglib uri="http://jakarta.apache.org/jspwiki.tld"; prefix="wiki" %>
<%@ taglib uri="http://stripes.sourceforge.net/stripes.tld"; prefix="s" %>
-<script>
-function constructdate(date)
-{
- var d = new Date();
- d.setTime(date.time);
- return d;
-}
-
-function refreshUserInfo()
-{
- var userid = $('userid').getValue();
-
- if( userid == '--New--' ) return;
-
- Wiki.jsonrpc("users.getUserInfo", [userid], function(userprofile){
- $('loginname').value = userprofile.loginName;
- $('loginid').value = userprofile.loginName;
- $('fullname').value = userprofile.fullname;
- $('email').value = userprofile.email;
- $('lastmodified').setHTML(constructdate(userprofile.lastModified));
- $('creationdate').setHTML(constructdate(userprofile.created));
- });
-}
-
-function addNew()
-{
- $('loginid').value = "--New--";
- $('loginname').value = "--New--";
- $('fullname').value = "Undefined";
- $('email').value = "";
- $('lastmodified').innerHTML = "";
- $('creationdate').innerHTML = "";
-
- var idlist=$('userid');
- var len = idlist.options.length;
- idlist.options[len] = new Option('--New--','--New--');
- idlist.selectedIndex = len;
-}
-</script>
+<%@ page errorPage="${templates['Error.jsp']}" %>
<div>
- <p>
- This is a list of user accounts that exist in this system.
- </p>
- <p><wiki:Messages/></p>
- <div id="userlist">
- <select name="userid" id="userid" size="16"
onchange="javascript:refreshUserInfo()">
- <c:forEach var="user"
items="${engine.userManager.userDatabase.wikiNames}">
- <option value="${user.name}"><c:out value="${user.name}"
escapeXml="true"/></option>
- </c:forEach>
- </select>
- </div>
- <div id="useredit">
- <form action="<wiki:Link jsp='admin/Admin.jsp' format='url'><wiki:Param
name='tab-admin' value='users'/></wiki:Link>"
- class="wikiform"
- id="adminuserform"
- onsubmit="return Wiki.submitOnce(this);"
- method="post" accept-charset="<wiki:ContentEncoding/>"
- enctype="application/x-www-form-urlencoded" >
- <input type="hidden" name='bean'
value='org.apache.wiki.ui.admin.beans.UserBean'/>
- <input type="hidden" id="loginid" name="loginid" value="" />
- <table>
- <tr>
- <td><label for="loginname">Login name</label></td>
- <td>
- <input type="text" name="loginname" id="loginname" size="20"
value="" />
- </td>
- </tr>
- <tr>
- <td><label for="password">Password </label></td>
- <td>
- <input type="password" name="password" id="password" size="20"
value="" />
- </td>
- </tr>
- <tr>
- <td><label for="password2">Confirm password</label></td>
- <td>
- <input type="password" name="password2" id="password2" size="20"
value="" />
- </td>
- </tr>
- <tr>
- <td><label for="fullname">Full name</label></td>
- <td>
- <input type="text" name="fullname" id="fullname" size="20" value="" />
- </td>
- </tr>
- <tr>
- <td><label for="email">Email</label></td>
- <td>
- <input type="text" name="email" id="email" size="20" value="" />
- </td>
- </tr>
-
- <tr class="additinfo">
- <td><label>Creation date</label></td>
- <td class="formvalue" id="creationdate">
- </td>
- </tr>
- <tr class="additinfo">
- <td><label>Last modified</label></td>
- <td class="formvalue" id="lastmodified">
- </td>
- </tr>
-
- <tr>
- <td><input type="submit" name="action" value="Save" /></td>
- </tr>
-
- </table>
- <div id="useractions">
- <input type="submit" name="action" value="Remove" onclick="return(
confirm('Are you sure you wish to remove this user?') && Wiki.submitOnce(this)
);" /> <input type="button" value="Add" onclick="javascript:addNew()" />
- </div>
- </form>
- </div>
+ <p>
+ This is a list of user accounts that exist in this system.
+ </p>
+ <div id="useredit">
+ <s:form beanclass="org.apache.wiki.action.AdministerProfilesActionBean"
+ class="wikiform" id="adminuserform" acceptcharset="UTF-8">
+ <p><s:messages/></p>
+ <table>
+ <thead>
+ <tr>
+ <th><s:label for="profile.loginName" /></th>
+ <th><s:label for="profile.fullname" /></th>
+ <th><s:label for="profile.password" /></th>
+ <th><s:label for="passwordAgain" /></th>
+ <th><s:label for="profile.email" name="email" /></th>
+ <td><label><fmt:message key="prefs.creationdate" /></label></td>
+ <td><label><fmt:message key="prefs.profile.lastmodified"
/></label></td>
+ </tr>
+ </thead>
+ <c:forEach var="user" items="${wikiActionBean.users}">
+ <tr>
+ <td><s:text name="loginName" id="loginName" size="20"
value="${user.loginName}" /></td>
+ <td><s:password name="password" id="password" size="20" value=""
/></td>
+ <td></td>
+ <td><s:text name="fullname" id="fullname" size="20"
value="${user.Fullname}" /></td>
+ <td><s:text name="email" id="email" size="20"
value="${user.email}" /></td>
+ <td>${user.created}</td>
+ <td>${user.lastModified}</td>
+ </tr>
+ </c:forEach>
+ </table>
+ </s:form>
+ </div>
</div>
\ No newline at end of file
Modified: incubator/jspwiki/trunk/src/java/org/apache/wiki/Release.java
URL:
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/java/org/apache/wiki/Release.java?rev=916571&r1=916570&r2=916571&view=diff
==============================================================================
--- incubator/jspwiki/trunk/src/java/org/apache/wiki/Release.java (original)
+++ incubator/jspwiki/trunk/src/java/org/apache/wiki/Release.java Fri Feb 26
05:17:18 2010
@@ -77,7 +77,7 @@
* <p>
* If the build identifier is empty, it is not added.
*/
- public static final String BUILD = "208";
+ public static final String BUILD = "209";
/**
* This is the generic version string you should use
Modified:
incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java
URL:
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java?rev=916571&r1=916570&r2=916571&view=diff
==============================================================================
---
incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java
(original)
+++
incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdminActionBean.java
Fri Feb 26 05:17:18 2010
@@ -9,7 +9,9 @@
import org.apache.wiki.WikiEngine;
import org.apache.wiki.auth.SecurityVerifier;
+import org.apache.wiki.auth.permissions.AllPermission;
import org.apache.wiki.ui.admin.AdminBean;
+import org.apache.wiki.ui.stripes.HandlerPermission;
import org.apache.wiki.ui.stripes.TemplateResolution;
import org.apache.wiki.util.TextUtil;
@@ -32,6 +34,7 @@
* @return the resolution
*/
@HandlesEvent( "security" )
+ @HandlerPermission( permissionClass = AllPermission.class, target = "*" )
public Resolution security()
{
WikiEngine engine = getContext().getEngine();
@@ -93,13 +96,15 @@
}
/**
- * If the admin UI is enabled, forwards the user to {...@code
/admin/Admin.jsp}
- * .
+ * If the admin UI is enabled, this method executes
+ * {...@link AdminBean#doPost(org.apache.wiki.WikiContext)} for the current
+ * AdminBean and forwards the user to the template JSP {...@code
/admin/Admin.jsp}.
*
* @return the resolution
*/
@DefaultHandler
@HandlesEvent( "view" )
+ @HandlerPermission( permissionClass = AllPermission.class, target = "*" )
public Resolution view()
{
if( !isAdminUiEnabled() )
@@ -112,30 +117,6 @@
}
};
}
- return new ForwardResolution( "/admin/Admin.jsp" );
- }
-
- /**
- * If the admin UI is enabled, this method executes
- * {...@link AdminBean#doPost(org.apache.wiki.WikiContext)} for the current
- * AdminBean and forwards the user to {...@code /admin/Admin.jsp}.
- *
- * @return the resolution
- */
- @HandlesEvent( "admin" )
- public Resolution admin()
- {
- if( !isAdminUiEnabled() )
- {
- return new StreamingResolution( "text/html" ) {
- public void stream( HttpServletResponse response ) throws
Exception
- {
- PrintWriter out = response.getWriter();
- out.print( "<html><body><p>Admin UI is
disabled.</p></body></html>" );
- }
- };
- }
- m_bean.doPost( getContext() );
- return new TemplateResolution( "admin/Admin.jsp" ).addParameter(
"tab", "admin" );
+ return new TemplateResolution( "admin/Admin.jsp" ).addParameter(
"tab", "security" );
}
}
Modified:
incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdministerProfilesActionBean.java
URL:
http://svn.apache.org/viewvc/incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdministerProfilesActionBean.java?rev=916571&r1=916570&r2=916571&view=diff
==============================================================================
---
incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdministerProfilesActionBean.java
(original)
+++
incubator/jspwiki/trunk/src/java/org/apache/wiki/action/AdministerProfilesActionBean.java
Fri Feb 26 05:17:18 2010
@@ -21,34 +21,40 @@
package org.apache.wiki.action;
+import java.security.Principal;
+import java.util.ArrayList;
import java.util.List;
-import org.apache.wiki.auth.NoSuchPrincipalException;
-import org.apache.wiki.auth.WikiSecurityException;
-import org.apache.wiki.auth.user.UserDatabase;
-import org.apache.wiki.auth.user.UserProfile;
-import org.apache.wiki.ui.stripes.WikiRequestContext;
-
import net.sourceforge.stripes.action.*;
import net.sourceforge.stripes.validation.EmailTypeConverter;
import net.sourceforge.stripes.validation.Validate;
import net.sourceforge.stripes.validation.ValidateNestedProperties;
+import org.apache.wiki.auth.NoSuchPrincipalException;
+import org.apache.wiki.auth.WikiSecurityException;
+import org.apache.wiki.auth.permissions.AllPermission;
+import org.apache.wiki.auth.user.UserDatabase;
+import org.apache.wiki.auth.user.UserProfile;
+import org.apache.wiki.log.Logger;
+import org.apache.wiki.log.LoggerFactory;
+import org.apache.wiki.ui.stripes.HandlerPermission;
+import org.apache.wiki.ui.stripes.TemplateResolution;
+import org.apache.wiki.ui.stripes.WikiRequestContext;
/**
* Manages the administration of UserProfiles, from the Administer Profiles
* page. Receives a List of UserProfiles, which may include a new profile, and
* persists the changes. Also receives an Array of Strings (login names) for
* UserProfiles that are to be deleted, and deletes them.
- *
*/
-...@urlbinding( "/AdministerProfiles.jsp" )
+...@urlbinding( "/admin/Users.jsp" )
public class AdministerProfilesActionBean extends AbstractActionBean
{
+ private static Logger log = LoggerFactory.getLogger(
AdministerProfilesActionBean.class );
private String[] m_deleteLoginNames;
- private List<UserProfile> m_profiles;
+ private List<UserProfile> m_users;
@ValidateNestedProperties( { @Validate( field = "loginName", required =
true, minlength = 3, maxlength = 50 ),
@Validate( field = "password", required =
true, minlength = 6, maxlength = 128 ),
@@ -65,32 +71,31 @@
m_deleteLoginNames = deleteLoginNames;
}
- public List<UserProfile> getUserProfiles()
+ public List<UserProfile> getUsers()
{
- return m_profiles;
+ return m_users;
}
- public void setUserProfiles( List<UserProfile> profiles )
+ public void setUsers( List<UserProfile> profiles )
{
- this.m_profiles = profiles;
+ this.m_users = profiles;
}
- @DefaultHandler
@HandlesEvent( "save" )
- @WikiRequestContext("adminProfiles")
+ @WikiRequestContext( "adminProfiles" )
public Resolution saveChanges() throws WikiSecurityException
{
UserDatabase db =
super.getContext().getEngine().getUserManager().getUserDatabase();
// Apply any changes to existing profiles (and create new ones)
- for( UserProfile profile : m_profiles )
+ for( UserProfile users : m_users )
{
// Look up profile; create new if not found
UserProfile existingProfile;
try
{
- existingProfile = db.findByLoginName( profile.getLoginName() );
+ existingProfile = db.findByLoginName( users.getLoginName() );
}
catch( NoSuchPrincipalException e )
{
@@ -98,12 +103,12 @@
}
// Make changes to things that have changed
- existingProfile.setLoginName( profile.getLoginName() );
- existingProfile.setFullname( profile.getFullname() );
- existingProfile.setEmail( profile.getEmail() );
- if( profile.getPassword() != null &&
profile.getPassword().length() > 0 )
+ existingProfile.setLoginName( users.getLoginName() );
+ existingProfile.setFullname( users.getFullname() );
+ existingProfile.setEmail( users.getEmail() );
+ if( users.getPassword() != null && users.getPassword().length() >
0 )
{
- existingProfile.setPassword( profile.getPassword() );
+ existingProfile.setPassword( users.getPassword() );
}
db.save( existingProfile );
}
@@ -123,7 +128,41 @@
}
}
}
+ return new TemplateResolution( "admin/Admin.jsp").addParameter( "tab",
"users" );
+ }
- return new RedirectResolution( AdministerProfilesActionBean.class );
+ /**
+ * Retrieves the active set of users, then returns a TemplateResolution to
+ * the display JSP {...@code admin/Admin.jsp}, the {...@code users} tab.
+ *
+ * @return the resolution
+ */
+ @DefaultHandler
+ @DontValidate
+ @HandlesEvent( "view" )
+ @HandlerPermission( permissionClass = AllPermission.class, target = "*" )
+ public Resolution view() throws WikiSecurityException
+ {
+ // Populate the user list
+ UserDatabase db =
getContext().getEngine().getUserManager().getUserDatabase();
+ Principal[] wikiNames = db.getWikiNames();
+ m_users = new ArrayList<UserProfile>();
+ for ( Principal wikiName : wikiNames )
+ {
+ try
+ {
+ UserProfile user = db.findByWikiName( wikiName.getName() );
+ m_users.add( user );
+ }
+ catch ( NoSuchPrincipalException e )
+ {
+ // Should not happen
+ log.error( "Could not find user with wikiName = "
+ + wikiName.getName() + ". Is the database
corrupted? " );
+ }
+ }
+
+ // Forward to the template JSP
+ return new TemplateResolution( "admin/Admin.jsp").addParameter( "tab",
"users" );
}
}
