[
https://issues.apache.org/jira/browse/JSPWIKI-473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689919#action_12689919
]
Janne Jalkanen commented on JSPWIKI-473:
----------------------------------------
Steve? Andrew? Anyone? Does the fix work? :-)
> Authorizers not consulted at login
> ----------------------------------
>
> Key: JSPWIKI-473
> URL: https://issues.apache.org/jira/browse/JSPWIKI-473
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.8, 2.8.1
> Environment: All
> Reporter: Andrew Jaquith
> Fix For: 2.8.2, 3.0
>
> Original Estimate: 0h
> Remaining Estimate: 0h
>
> From the jspwiki-dev list:
> Steve Dahl wrote:
> Under JSPWiki 2.6.4, we've replaced WebContainerAuthorizer with an
> LDAPAuthorizer which implements JSPWiki roles in terms of LDAP groups.
> When I compile this for JSPWiki 2.8.0, and modify the jspwiki.properties file
> to use it, our custom LDAPAuthorizer gets initialized, and is sent
> findRole(), but it never seems to get sent isUserInRole().
> If it's useful information, LDAPAuthorizer implements Authorizer (not
> WebAuthorizer), and it implements isUserInRole() with this signature:
> public boolean isUserInRole( WikiSession session, Principal role )
> Is there anything that has changed in Authorizers between 2.6.4 and 2.8.0
> that might explain this?
> Looking deeper, it seems that in JSPWiki 2.6.X, WikiSession implemented
> injectRolePrincipals(), which initialized the session with whatever groups
> and roles the user belongs to. Groups are read from the group database, and
> Roles are read from the Authorizer.
> In JSPWiki 2.8.X, injectRolePrincipals() has been replaced by
> injectGroupPrincipals(), which reads groups from the group database but
> doesn't use the Authorizer. What is the Authorizer used for now?
> As a side note, I originally implemented LDAPAuthorizer as LDAPGroupDatabase.
> I ended up rejecting this approach because GroupManager assumes that the
> members of a Group can be read once when the Wiki is started, and that the
> Group's membership will only be modified by the Wiki. The problem with LDAP
> is that the group membership can be modified from outside, and the only way
> to update the wiki would be to manually restart it. The Authorizer was a
> better solution for our purposes, because if a user was added to the LDAP
> group, the Authorizer would reflect that change as soon as the user logged
> out and back in. Restarting the wiki is not necessary.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
