David, I tested with your web.xml, jspwiki.properties and jspwiki.policy and cannot reproduce the problem. Basically there is nothing mis-configured, and the goal you try to achieve is very common. (you can comment out jspwiki.security=jaas, it's deprecated)
You could activate the SecurityAppender, see the bottom of jspwiki.properties, uncomment the SecurityAppender statements and set the loglevel to debug, maybe that will reveal the error. regards, Harry 2010/4/24 David Clemmons <[email protected]> > Here is the web.xml: > <?xml version="1.0" encoding="ISO-8859-1"?> > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; > version="2.4"> > > <description> > JSPWiki is an open source JSP-based WikiClone. It is licensed > under the Apache 2.0 license. > > For more information, please come to http://www.jspwiki.org/ > </description> > <display-name>JSPWiki</display-name> > > <!-- Resource bundle default location --> > <context-param> > <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name> > <param-value>templates.default</param-value> > </context-param> > > <!-- > WikiServletFilter defines a servlet filter which filters all requests. > It was > introduced in JSPWiki 2.4. > > In 2.7/2.8, the WikiServlet filter also performs an important security > function: > it sets authentication status based on container credentials. It > should generally > execute first. Note that if you configure a filter *before* this one > that returns > non-null values for getUserPrincipal() or getRemoteUser(), > WikiSecurityFilter > will pick the credentials up, and set the user's WikiSession state to > "authenticated." WikiServletFlter will also set the WikiSession's' > state > to "authenticated" if jspwiki.properties property > "jspwiki.cookieAuthentication" > is set to true, and the user possesses the correct authentication > cookie. > > Lastly, if jspwiki.properties property "jspwiki.cookieAssertions" is > set to true, > WikiServletFilter will also set WikiSession state to "asserted" if the > user > possesses the correct "assertion cookie." > --> > > <filter> > <filter-name>WikiServletFilter</filter-name> > <filter-class>com.ecyrd.jspwiki.ui.WikiServletFilter</filter-class> > </filter> > <filter> > <filter-name>WikiJSPFilter</filter-name> > <filter-class>com.ecyrd.jspwiki.ui.WikiJSPFilter</filter-class> > </filter> > > <filter-mapping> > <filter-name>WikiServletFilter</filter-name> > <url-pattern>/attach/*</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>WikiServletFilter</filter-name> > <url-pattern>/atom/*</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>WikiServletFilter</filter-name> > <url-pattern>/dav/*</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>WikiServletFilter</filter-name> > <url-pattern>/RPCU/</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>WikiServletFilter</filter-name> > <url-pattern>/RPC2/</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>WikiServletFilter</filter-name> > <url-pattern>/JSON-RPC</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>WikiJSPFilter</filter-name> > <url-pattern>/wiki/*</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>WikiJSPFilter</filter-name> > <url-pattern>*.jsp</url-pattern> > </filter-mapping> > > <!-- > HttpSessionListener used for managing WikiSession's. > --> > <listener> > <listener-class>com.ecyrd.jspwiki.auth.SessionMonitor</listener-class> > </listener> > > <!-- > Now, let's define the XML-RPC interfaces. You probably don't have to > touch these. > > First, we'll define the standard XML-RPC interface. > --> > <servlet> > <servlet-name>XMLRPC</servlet-name> > <servlet-class>com.ecyrd.jspwiki.xmlrpc.RPCServlet</servlet-class> > <init-param> > <param-name>handler</param-name> > <param-value>com.ecyrd.jspwiki.xmlrpc.RPCHandler</param-value> > </init-param> > > <init-param> > <param-name>prefix</param-name> > <param-value>wiki</param-value> > </init-param> > </servlet> > > <!-- > OK, this then defines that our UTF-8 -capable server. > --> > > <servlet> > <servlet-name>XMLRPC-UTF8</servlet-name> > <servlet-class>com.ecyrd.jspwiki.xmlrpc.RPCServlet</servlet-class> > <init-param> > <param-name>handler</param-name> > > <param-value>com.ecyrd.jspwiki.xmlrpc.RPCHandlerUTF8</param-value> > </init-param> > > <init-param> > <param-name>prefix</param-name> > <param-value>wiki</param-value> > </init-param> > </servlet> > > <!-- JSON AJAX API --> > <servlet> > <servlet-name>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-name> > > <servlet-class>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-class> > </servlet> > > <!-- Atom Publishing Protocol --> > <servlet> > <servlet-name>ATOM</servlet-name> > > <servlet-class>com.ecyrd.jspwiki.rpc.atom.AtomAPIServlet</servlet-class> > </servlet> > > <!-- Maps short URLS to JSPs; also, detects webapp shutdown. --> > <servlet> > <servlet-name>WikiServlet</servlet-name> > <servlet-class>com.ecyrd.jspwiki.WikiServlet</servlet-class> > <load-on-startup>1</load-on-startup> > </servlet> > > <servlet> > <servlet-name>DAVServlet</servlet-name> > <servlet-class>com.ecyrd.jspwiki.dav.WikiDavServlet</servlet-class> > </servlet> > > <!-- > Attachment exchange handler. > --> > > <servlet> > <servlet-name>AttachmentServlet</servlet-name> > > <servlet-class>com.ecyrd.jspwiki.attachment.AttachmentServlet</servlet-class> > </servlet> > > <!-- PLACEHOLDER FOR PRE-COMPILED JSP SERVLETS --> > > <!-- > And finally, let us tell the servlet container which > URLs should correspond to which XML RPC servlet. > --> > > <!-- By default, this is disabled. If you want to enabled it, > just uncomment the whole section. --> > > <!-- REMOVE ME TO ENABLE XML-RPC > > <servlet-mapping> > <servlet-name>XMLRPC</servlet-name> > <url-pattern>/RPC2/</url-pattern> > </servlet-mapping> > > <servlet-mapping> > <servlet-name>XMLRPC-UTF8</servlet-name> > <url-pattern>/RPCU/</url-pattern> > </servlet-mapping> > > <servlet-mapping> > <servlet-name>ATOM</servlet-name> > <url-pattern>/atom/*</url-pattern> > </servlet-mapping> > > AND REMOVE ME TOO --> > > <servlet-mapping> > <servlet-name>AttachmentServlet</servlet-name> > <url-pattern>/attach/*</url-pattern> > </servlet-mapping> > > <servlet-mapping> > <servlet-name>WikiServlet</servlet-name> > <url-pattern>/wiki/*</url-pattern> > </servlet-mapping> > > <!-- Remove to enable WebDav. EXPERIMENTAL FEATURE! > <servlet-mapping> > <servlet-name>DAVServlet</servlet-name> > <url-pattern>/dav/*</url-pattern> > </servlet-mapping> > --> > > <servlet-mapping> > <servlet-name>com.metaparadigm.jsonrpc.JSONRPCServlet</servlet-name> > <url-pattern>/JSON-RPC</url-pattern> > </servlet-mapping> > > <!-- This means that we don't have to use redirection > from index.html anymore. Yay! --> > <welcome-file-list> > <welcome-file>Wiki.jsp</welcome-file> > </welcome-file-list> > > <!-- Error pages --> > <error-page> > <error-code>403</error-code> > <location>/error/Forbidden.html</location> > </error-page> > > <!-- REMOVE ME TO ENABLE JDBC DATABASE > <resource-ref> > <description> > Resource reference to JNDI factory for the JDBCUserDatabase. > </description> > <res-ref-name> > jdbc/UserDatabase > </res-ref-name> > <res-type> > javax.sql.DataSource > </res-type> > <res-auth> > Container > </res-auth> > </resource-ref> > <resource-ref> > <description> > Resource reference to JNDI factory for the JDBCGroupDatabase. > </description> > <res-ref-name> > jdbc/GroupDatabase > </res-ref-name> > <res-type> > javax.sql.DataSource > </res-type> > <res-auth> > Container > </res-auth> > </resource-ref> > REMOVE ME TO ENABLE JDBC DATABASE --> > > <!-- REMOVE ME TO ENABLE JAVAMAIL > <resource-ref> > <description>Resource reference to a container-managed JNDI JavaMail > factory for sending e-mails.</description> > <res-ref-name>mail/Session</res-ref-name> > <res-type>javax.mail.Session</res-type> > <res-auth>Container</res-auth> > </resource-ref> > REMOVE ME TO ENABLE JAVAMAIL --> > > <!-- > CONTAINER-MANAGED AUTHENTICATION & AUTHORIZATION > > Here we define the users which are allowed to access JSPWiki. > These restrictions cause the web container to apply further > contraints to the default security policy in jspwiki.policy, > and should be suitable for a corporate intranet or public wiki. > > In particular, the restrictions below allow all users to > read documents, but only Authenticated users can comment > on or edit them (i.e., access the Edit.jsp page). > Users with the role Admin are the only persons who can > delete pages. > > To implement this policy, the container enforces two web > resource constraints: one for the Administrator resources, > and one for Authenticated users. Note that the "role-name" > values are significant and should match the role names > retrieved by your web container's security realm. The roles > of "Admin" and "Authenticated" are assigned by the web > container at login time. > > For example, if you are using Tomcat's built-in "memory realm", > you should edit the $CATALINA_HOME/conf/tomcat-users.xml file > and add the desired actual user accounts. Each user must possess > one or both of the Admin or Authenticated roles. For other realm > types, consult your web container's documentation. > > Alternatively, you could also replace all references to > "Authenticated" and "Admin" with role names that match those > returned by your container's security realm. We don't care > either way, as long as they match. > > Note that accessing protected resources will cause your > container to try to use SSL (default port for Tomcat is 8443) > to secure the web session. This, of course, assumes your > web container (or web server) is configured with SSL support. > If you do not wish to use SSL, remove the "user-data-constraint" > elements. > --> > > <!-- REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH > > <security-constraint> > <web-resource-collection> > <web-resource-name>Administrative Area</web-resource-name> > <url-pattern>/Delete.jsp</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>Admin</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>Authenticated area</web-resource-name> > <url-pattern>/Edit.jsp</url-pattern> > <url-pattern>/Comment.jsp</url-pattern> > <url-pattern>/Login.jsp</url-pattern> > <url-pattern>/NewGroup.jsp</url-pattern> > <url-pattern>/Rename.jsp</url-pattern> > <url-pattern>/Upload.jsp</url-pattern> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>HEAD</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > > <web-resource-collection> > <web-resource-name>Read-only Area</web-resource-name> > <url-pattern>/attach</url-pattern> > <http-method>DELETE</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > > <auth-constraint> > <role-name>Admin</role-name> > <role-name>Authenticated</role-name> > </auth-constraint> > > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/LoginForm.jsp</form-login-page> > <form-error-page>/LoginForm.jsp</form-error-page> > </form-login-config> > </login-config> > > <security-role> > <description> > This logical role includes all authenticated users > </description> > <role-name>Authenticated</role-name> > </security-role> > > <security-role> > <description> > This logical role includes all administrative users > </description> > <role-name>Admin</role-name> > </security-role> > > REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH --> > > </web-app> > > > David Clemmons > > > > > ________________________________ > From: Harry Metske <[email protected]> > To: [email protected] > Sent: Sat, April 24, 2010 10:28:42 AM > Subject: Re: ACL problem > > David, > > your jspwiki.policy looks fine. > I cannot reproduce your problem, when you access the protected page > anonymously you should get a message like > *User 0:0:0:0:0:0:0:1 has no access - redirecting > > (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission","JSPWiki:Testpage","view")) > * > > Have you made changes to web.xml and/or jspwiki.properties that might > affect > this behaviour ? > Can you reproduce it on http://sandbox.jspwiki.org ? > > regards, > Harry > > > 2010/4/24 David Clemmons <[email protected]> > > > Harry, > > FYI, I have the same problem on Tomcat running on Ubuntu. > > > > David Clemmons > > > > > > > > > > ________________________________ > > From: Harry Metske <[email protected]> > > To: [email protected] > > Sent: Thu, April 22, 2010 3:58:57 AM > > Subject: Re: ACL problem > > > > David, > > > > the list does not accept attachments, can you put them inline, or put > them > > somewhere on a public host ? > > > > > > regards, > > Harry > > > > 2010/4/22 David Clemmons <[email protected]> > > > > > Attached is the policy and log file. > > > Thank You, > > > David Clemmons > > > > > > > > > ------------------------------ > > > *From:* Harry Metske <[email protected]> > > > *To:* [email protected] > > > *Sent:* Wed, April 21, 2010 11:52:42 AM > > > *Subject:* Re: ACL problem > > > > > > David, > > > > > > can you share your jspwiki.policy file and the logfiles with us ? > > > Your problem description is not enough for us to help you. > > > > > > regards, > > > Harry > > > > > > 2010/4/19 David Clemmons <[email protected]> > > > > > > > I have installed JSPWIKI 2.83 on Websphere but I cannot get ACL to > > > > work. For instance, I have a page with [{ALLOW view DavidClemmons}] > > but > > > > anonymous users can still view this. > > > > > > > > > > > > David Clemmons > > > > > > > > > >
