Andrew,
My configuration just works fine. Every user in the dedicated LDAP
group can login JSPWiki with proper access rights defined in security
policy.
-------- Original Message --------
David --
Your configuration looks fine. Does it work for you? It looks like it
should...
Milt --JSPWiki does have a role called "Authenticated" that is granted
to *every* user who successfully authenticates, regardless of the
method used to authenticate (container-based or custom).
"Authenticated" is the role name you should use in the jspwiki.policy
file to denote authenticated users, and indeed, its name cannot be
changed. It's what we call a "built-in" role, along with the
"Anonymous" and "Asserted" roles. It might help you to think of these
"states" rather than logical roles.
In addition to granting privileges to built-in roles (states), you can
grant privileges to specific container-managed roles (such as those
returned by an LDAP lookup). These are entered as grant blocks in
jspwiki.policy. These container roles must also be entered into
web.xml, preferably as "security-role" elements, or as
"auth-constraint/role-name" elements. David has done both of these
things in his examples: in jspwiki.policy you see a permission grant
for the container role "tomcat-admin", and a corresponding
auth-constraint/role-name element for "tomcat-admin" in web.xml.
Milt, if I've failed to answer your (implied) question, please let me
know and we can investigate further.
Andrew
On Mar 5, 2008, at 5:45 PM, David Gao wrote:
Hi Milton,
I did not change the policy for "Authenticated" as I think jspwiki
may need that internally. Hope my configuration below may help
Tomcat server.xml (only JNDIRealm enabled) (LDAP server is Sun One
Directory Server)
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://localhost:389";
connectionName="cn=Directory Manager"
connectionPassword="password"
userPassword="userPassword"
userPattern="uid={0}, ou=People,dc=example,dc=com"
roleBase="ou=Groups,dc=example,dc=com"
roleName="cn"
roleSubtree="true"
roleSearch="(uniqueMember={0})"
/>
----------------------------------------------------------------------------
JSPWiki web.xml Security constraint
<auth-constraint>
<role-name>tomcat-admin</role-name>
<role-name>LGE-SH</role-name>
...................
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>tomcat-admin</role-name>
</security-role>
-------------------------------------------------------------------------------
Security policy: (added the following as a new entry, no new policy
added for other LDAP groups)
grant principal com.ecyrd.jspwiki.auth.authorize.Role "tomcat-admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
-------- Original Message --------
Can I just clarify that it is not possible to "rename" the
Authenticated role in the policy file in order to map it to
something else in the LDAP directory?
Last time I investigated this, it seemed that jspwiki expected there
to be a role named "Authenticated" that the user was a member of,
regardless of what the policy file might call this role.
Andrew Jaquith wrote:
David - your simple example works much better than my long-winded
explanation might have. :) Nice one.
Ryan - the important point here is that you can add container roles
to your security policy file using the syntax in David's example.
You can use container roles in wiki page ACLs, too. To make this
work, you need to make sure you have a "role" element in your
web.xml for each LDAP group you are referencing.
Andrew
On Mar 5, 2008, at 16:59, David Gao <[EMAIL PROTECTED]> wrote:
--
David Gao ([EMAIL PROTECTED])
--
David Gao ([EMAIL PROTECTED])
