[
https://issues.apache.org/jira/browse/JSPWIKI-473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666039#action_12666039
]
Andrew Jaquith commented on JSPWIKI-473:
----------------------------------------
Looking a bit into the code, in 2.8, it turns out that the code that looks for
container roles moved to WebContainerLoginModule. It calls isUserInRole(
HttpServletRequest, Principal ), and not the WikiSesson version. That explains
why your roles aren't being added to the user's Principal list. Thus, in the
short term, you need to implement WebAuthorizer in order to make your
Authorizer work.
That said, I recognize that the technique we use in 2.8 is causing your custom
Authorizer to fail, and as such I'd have to call it a bug. Implementing
Authorizer should have been sufficient, you should not have to implement
WebAuthorizer.
We would have caught this if we had a unit test for custom authorizers, but we
don't. I will fix this -- both the bug, and lack of tests for custom
authorizers -- in the next maintenance release of 2.8. I hope to have the fix
in the 2.8 trunk into the next week or two.
> Authorizers not consulted at login
> ----------------------------------
>
> Key: JSPWIKI-473
> URL: https://issues.apache.org/jira/browse/JSPWIKI-473
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.8, 2.8.1
> Environment: All
> Reporter: Andrew Jaquith
> Fix For: 2.8.2, 3.0
>
>
> From the jspwiki-dev list:
> Steve Dahl wrote:
> Under JSPWiki 2.6.4, we've replaced WebContainerAuthorizer with an
> LDAPAuthorizer which implements JSPWiki roles in terms of LDAP groups.
> When I compile this for JSPWiki 2.8.0, and modify the jspwiki.properties file
> to use it, our custom LDAPAuthorizer gets initialized, and is sent
> findRole(), but it never seems to get sent isUserInRole().
> If it's useful information, LDAPAuthorizer implements Authorizer (not
> WebAuthorizer), and it implements isUserInRole() with this signature:
> public boolean isUserInRole( WikiSession session, Principal role )
> Is there anything that has changed in Authorizers between 2.6.4 and 2.8.0
> that might explain this?
> Looking deeper, it seems that in JSPWiki 2.6.X, WikiSession implemented
> injectRolePrincipals(), which initialized the session with whatever groups
> and roles the user belongs to. Groups are read from the group database, and
> Roles are read from the Authorizer.
> In JSPWiki 2.8.X, injectRolePrincipals() has been replaced by
> injectGroupPrincipals(), which reads groups from the group database but
> doesn't use the Authorizer. What is the Authorizer used for now?
> As a side note, I originally implemented LDAPAuthorizer as LDAPGroupDatabase.
> I ended up rejecting this approach because GroupManager assumes that the
> members of a Group can be read once when the Wiki is started, and that the
> Group's membership will only be modified by the Wiki. The problem with LDAP
> is that the group membership can be modified from outside, and the only way
> to update the wiki would be to manually restart it. The Authorizer was a
> better solution for our purposes, because if a user was added to the LDAP
> group, the Authorizer would reflect that change as soon as the user logged
> out and back in. Restarting the wiki is not necessary.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
