David --
Your configuration looks fine. Does it work for you? It looks like it
should...
Milt --JSPWiki does have a role called "Authenticated" that is granted
to *every* user who successfully authenticates, regardless of the
method used to authenticate (container-based or custom).
"Authenticated" is the role name you should use in the jspwiki.policy
file to denote authenticated users, and indeed, its name cannot be
changed. It's what we call a "built-in" role, along with the
"Anonymous" and "Asserted" roles. It might help you to think of these
"states" rather than logical roles.
In addition to granting privileges to built-in roles (states), you can
grant privileges to specific container-managed roles (such as those
returned by an LDAP lookup). These are entered as grant blocks in
jspwiki.policy. These container roles must also be entered into
web.xml, preferably as "security-role" elements, or as "auth-
constraint/role-name" elements. David has done both of these things in
his examples: in jspwiki.policy you see a permission grant for the
container role "tomcat-admin", and a corresponding auth-constraint/
role-name element for "tomcat-admin" in web.xml.
Milt, if I've failed to answer your (implied) question, please let me
know and we can investigate further.
Andrew
On Mar 5, 2008, at 5:45 PM, David Gao wrote:
Hi Milton,
I did not change the policy for "Authenticated" as I think jspwiki
may need that internally. Hope my configuration below may help
Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One
Directory Server)
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://localhost:389";
connectionName="cn=Directory Manager"
connectionPassword="password"
userPassword="userPassword"
userPattern="uid={0}, ou=People,dc=example,dc=com"
roleBase="ou=Groups,dc=example,dc=com"
roleName="cn"
roleSubtree="true"
roleSearch="(uniqueMember={0})"
/>
----------------------------------------------------------------------------
JSPWiki web.xml Security constraint
<auth-constraint>
<role-name>tomcat-admin</role-name>
<role-name>LGE-SH</role-name>
...................
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>tomcat-admin</role-name>
</security-role>
-------------------------------------------------------------------------------
Security policy: (added the following as a new entry, no new policy
added for other LDAP groups)
grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
-------- Original Message --------
Can I just clarify that it is not possible to "rename" the
Authenticated role in the policy file in order to map it to
something else in the LDAP directory?
Last time I investigated this, it seemed that jspwiki expected
there to be a role named "Authenticated" that the user was a member
of, regardless of what the policy file might call this role.
Andrew Jaquith wrote:
David - your simple example works much better than my long-winded
explanation might have. :) Nice one.
Ryan - the important point here is that you can add container
roles to your security policy file using the syntax in David's
example. You can use container roles in wiki page ACLs, too. To
make this work, you need to make sure you have a "role" element in
your web.xml for each LDAP group you are referencing.
Andrew
On Mar 5, 2008, at 16:59, David Gao <[EMAIL PROTECTED]> wrote:
--
David Gao ([EMAIL PROTECTED])
