Re: Anonymous user can see ACL'd pages

Sun, 25 Nov 2007 05:58:40 -0800
2007-11-25 15:45:25,877 [TP-Processor6] INFO com.ecyrd.jspwiki.WikiContext JSPWiki:/wiki/PermTest JSPWiki:http:// www.jspwiki.org/wiki/PermTest - User 194.29.196.175 has no access - redirecting (permission= ("com.ecyrd.jspwiki.auth.permissions.PagePermission","JSPWiki:PermTest", "view")) 

On 25 Nov 2007, at 15:48, Kalle Kivimaa wrote:


Yes, that is exactly what I'm trying to achieve. It would be nice to
see what the jspwiki.org logs say when an anonymous user tries to view
that page.

"Harry Metske" <[EMAIL PROTECTED]> writes:


Do you mean something like this :

http://www.jspwiki.org/wiki/PermTest


This page has the following text, and is not viewable by anonymous  
users:


[{ALLOW edit metskem}]
[{ALLOW view Asserted}]

You should not be able to see the source of this page !

Harry

2007/11/25, Kalle Kivimaa <[EMAIL PROTECTED]>:



Yes, because I want *most* of my wiki to be visible to everybody,  
and

I understood that an ACL takes precedence over the policy file.

From http://doc.jspwiki.org/2.4/wiki/Security

"By default, wiki pages do not have access control lists. When a  
page

doesn't have an ACL, the default security policy for the page
applies."


I read that as saying that the security policy is *only* used if  
there

is no ACL.

Janne Jalkanen <[EMAIL PROTECTED]> writes:


Um. You're granting read permissions to Anonymous in your policy  
file.


/Janne

On 25 Nov 2007, at 14:47, Kalle Kivimaa wrote:


OK, after finally getting my Tomcat to actually use the security

policy correctly, I still have the problem of the page ACL's  
not being
used. The JAAS config file is loaded correctly, as is the  
policy file

(policy file access restrictions work correctly).

Any ideas what I'm doing wrong?

Page header:
[{ALLOW view Asserted}]

Policy file:

grant principal com.ecyrd.jspwiki.auth.authorize.Role  
"Anonymous" {

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission
"*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*", "login";
};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*", "login";
};

Log file:
2007-11-25 14:42:58,883 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://

localhost:8180/kalle/Wiki.jsp - Do we need to log the user in?  
false

2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp
kalle:http://localhost:8180/kalle/Wiki.jsp - page=TaloInfo null
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.WikiSession kalle:/kalle/Wiki.jsp kalle:http://
localhost:8180/kalle/Wiki.jsp - Looking up WikiSession for NULL
HttpRequest: returning guestSession()
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://

localhost:8180/kalle/Wiki.jsp - Creating WikiContext for  
session ID=

(null); target=TaloInfo
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://

localhost:8180/kalle/Wiki.jsp - Do we need to log the user in?  
false

2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.parser.JSPWikiMarkupParser kalle:/kalle/Wiki.jsp
kalle:http://localhost:8180/kalle/Wiki.jsp - page=TaloInfo, ACL =
ALLOW view Asserted
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp
kalle:http://localhost:8180/kalle/Wiki.jsp - Adding new acl entry
for view
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.auth.acl.DefaultAclManager kalle:/kalle/Wiki.jsp
kalle:http://localhost:8180/kalle/Wiki.jsp -   user = Asserted:

(("com.ecyrd.jspwiki.auth.permissions.PagePermission","kalle:TaloI 
nfo"

,"view"))
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.parser.JSPWikiMarkupParser kalle:/kalle/Wiki.jsp
kalle:http://localhost:8180/kalle/Wiki.jsp -   user = Asserted:

(("com.ecyrd.jspwiki.auth.permissions.PagePermission","kalle:TaloI 
nfo"

,"view"))
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.WikiSession kalle:/kalle/Wiki.jsp kalle:http://
localhost:8180/kalle/Wiki.jsp - Looking up WikiSession for NULL
HttpRequest: returning guestSession()
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://

localhost:8180/kalle/Wiki.jsp - Creating WikiContext for  
session ID=

(null); target=TaloInfo
2007-11-25 14:42:58,884 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.WikiContext kalle:/kalle/Wiki.jsp kalle:http://

localhost:8180/kalle/Wiki.jsp - Do we need to log the user in?  
false

2007-11-25 14:42:58,889 [http-8180-Processor22] DEBUG
com.ecyrd.jspwiki.WikiEngine kalle:/kalle/Wiki.jsp kalle:http://
localhost:8180/kalle/Wiki.jsp - Page TaloInfo rendered, took
0:00:00.005

--
* Sufficiently advanced magic is indistinguishable from technology
(T.P)  *
*           PGP public key available @ http://www.iki.fi/
killer           *





--

* Sufficiently advanced magic is indistinguishable from  
technology (T.P

)  *
*           PGP public key available @ http://www.iki.fi/killer
*





--
met vriendelijke groet,
Harry Metske
Telnr. +31-548-512395
Mobile +31-6-51898081


--

* Sufficiently advanced magic is indistinguishable from technology  
(T.P)  *
*           PGP public key available @ http://www.iki.fi/ 
killer           *





























					Reply via email to