[
https://issues.apache.org/jira/browse/JSPWIKI-473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12680043#action_12680043
]
Steve Dahl commented on JSPWIKI-473:
------------------------------------
Sorry for the delay.
I don't understand how much of this is my own unfamiliarity with compiling
JSPWiki from source and how much is a real problem in the code, but things seem
to have gotten worse. I downloaded the sources from:
http://svn.eu.apache.org/repos/asf/incubator/jspwiki/branches/JSPWIKI_2_8_BRANCH
...and the ChangeLog file in my download says that the version is 2.8.2-svn-9.
When I build and install this, it *seems* to disable all access controls. I
have one page whose ACL reads:
[{ALLOW modify TechD}]
[{ALLOW view Authenticated}]
[{ALLOW rename TechD}]
But when I visit this page without logging in, I am allowed to view it and edit
it. If I log in as a user that does not belong to the TechD role, I am also
allowed to view and edit it.
> Authorizers not consulted at login
> ----------------------------------
>
> Key: JSPWIKI-473
> URL: https://issues.apache.org/jira/browse/JSPWIKI-473
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.8, 2.8.1
> Environment: All
> Reporter: Andrew Jaquith
> Fix For: 2.8.2, 3.0
>
> Original Estimate: 0h
> Remaining Estimate: 0h
>
> From the jspwiki-dev list:
> Steve Dahl wrote:
> Under JSPWiki 2.6.4, we've replaced WebContainerAuthorizer with an
> LDAPAuthorizer which implements JSPWiki roles in terms of LDAP groups.
> When I compile this for JSPWiki 2.8.0, and modify the jspwiki.properties file
> to use it, our custom LDAPAuthorizer gets initialized, and is sent
> findRole(), but it never seems to get sent isUserInRole().
> If it's useful information, LDAPAuthorizer implements Authorizer (not
> WebAuthorizer), and it implements isUserInRole() with this signature:
> public boolean isUserInRole( WikiSession session, Principal role )
> Is there anything that has changed in Authorizers between 2.6.4 and 2.8.0
> that might explain this?
> Looking deeper, it seems that in JSPWiki 2.6.X, WikiSession implemented
> injectRolePrincipals(), which initialized the session with whatever groups
> and roles the user belongs to. Groups are read from the group database, and
> Roles are read from the Authorizer.
> In JSPWiki 2.8.X, injectRolePrincipals() has been replaced by
> injectGroupPrincipals(), which reads groups from the group database but
> doesn't use the Authorizer. What is the Authorizer used for now?
> As a side note, I originally implemented LDAPAuthorizer as LDAPGroupDatabase.
> I ended up rejecting this approach because GroupManager assumes that the
> members of a Group can be read once when the Wiki is started, and that the
> Group's membership will only be modified by the Wiki. The problem with LDAP
> is that the group membership can be modified from outside, and the only way
> to update the wiki would be to manually restart it. The Authorizer was a
> better solution for our purposes, because if a user was added to the LDAP
> group, the Authorizer would reflect that change as soon as the user logged
> out and back in. Restarting the wiki is not necessary.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
