I had written a plugin that would allow partial page displays to be
shown, I think this is what you are looking for.
If it is, let me know and I'll mail you the code. Its for a very old
version of JSPWiki, when the base went off on a different direction for
page auth it was too hard to fit into the new scheme.
Foster
--------
AuthPlugin
The purpose of the Auth Plugin is to allow page level security for 2.0.x
JSPWiki. It is an Authorization plugin, it uses Container Managed
Security
<http://localhost:8080/schucker/Wiki.jsp?page=ContainerManagedSecurity>
to perform the Authentication (and to help control access to some of the
JSP files) (Also see Auth Plugin Detail
<http://localhost:8080/schucker/Wiki.jsp?page=AuthPluginDetail>) (The
Auth Test <http://localhost:8080/schucker/Wiki.jsp?page=AuthTest> page
has some samples)
[{Auth allow='admin' deny='Janne' edit='editor'}]
Parameters
*allow* (optional)[1]
<http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-1>
a list of user names and/or roles that have access to this page[1]
<http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-1>.
*deny* (optional)
a list of user names and/or roles that should be denied access to
this page
*edit* (optional)
a list of user names and/or roles that have edit access to this page
In the example given, everyone in the admin group has access, except for
Janne and those people that have the 'editor' role can edit this page.
------------------------------------------------------------------------
How to use it
There are two different ways to use Auth. First is to control the
viewing of a block of text inside of a page:
Everyone will see this text
[{Auth allow='editor'
Only those people with ''editor'' roles will see this text
}]
This text will also be seen by everyone.
Only the text inside the body of the Auth plugin is controlled. The
plugin can be used any number of times on a page. (Plugins can be
nested, so you can do:
Everyone will see this text
[{Auth allow='editor'
Only those people with ''editor'' roles will see this text
[{Auth allow='admin'
Only those people with ''editor'' and ''admin'' roles will see this text
}]
Only ''editors'' will see this line
}]
This text will also be seen by everyone.
(A common error is not having the blank line after the Auth plugin and
not having matched plugin closes)
The second way is to control access to the entire page.
[{Auth allow='ATeam' deny='BA' edit='ATeam'}]
Plane trip for next week is on, I love it when a plan comes together!
Everyone on the ATeam except for BA can see this page, and all of the
ATeam can edit this page.
------------------------------------------------------------------------
How it works
Auth Plugin -- Simply it takes the parameters passed and looks in the
user and role list to see if they match[2]
<http://localhost:8080/schucker/Wiki.jsp?page=AuthPlugin#ref-AuthPlugin-2>:
if (checkthisguy.isEqualIgnoreCase(request.getRemoteUser()) {..}
if (req.isUserInRole(checkthisguy)) {..}
If there is not a match for the allow a AssertionError("Not allowed to
see this page") is thrown. This error is caught by the upper most layer
of the container, and it will produce an error page with this message on
it. (Tested with Resin and Weblogic, your container may or may not work)
If the user is allowed to view the page then an entry is also made in
the session variable *pageview*. A similar entry is made in *pageedit*
if they can edit the page.
In most cases the user will not be able to click on the /Edit this page/
link since if they can's see the page, they are looking at an error page
that does not have a link on it.
While */Security through Obscurity/* works for some, some users may
elect to put the entire URL in by hand. To protect against this you will
need to edit your Edit.jsp file to check and see if they are allowed to
edit this file. And while you are at it, you should also change the
Diff.jsp and PageInfo.jsp files.
Finally, things like Recent Changes will still find the /hidden/ pages
for a user. This means that they will know there is a page called
*TopSecretPlans* even though they can't view it. If this is a concern to
you, you can do one of two things:
1. Call your /hidden/ pages something like *Hidden_TopSecretPlans* and
change your Recent Changes to ignore files that start with Hidden_.
2. Use the new 2.1 Wiki with the full featured Authorization And
Authentication.
------------------------------------------------------------------------
Disclaimer
This is how I do it, you may not get it to work without some (high)
level of effort on your part. I can try to help you, but plan to spend
some time, this is not just a plugin you can drop in and use --
FosterSchucker
<http://localhost:8080/schucker/Wiki.jsp?page=FosterSchucker>
------------------------------------------------------------------------
3 August 2004
I've uploaded a new version that fixes a bug if there are many roles in
the list. I've also made it a static method and move all of the null
checking,wildcards,etc. into the method *userInList*. This allows Auth
to be safely called from other places (like tags, pages, etc.)
I've uploaded the source to the Auth plugin and the source for AuthTag,
if you want a compiled version (jar file) let me know.
New exposed method
public static boolean userInList(HttpServletRequest request, String accesslist,
String username)
sample call
if (Auth.userInList(request,"editor,admin,superuser",null) { ... }
Will check to see if this user is in any of those roles.
TLD for AuthTag
<tag>
<name>Auth</name>
<tagclass>com.ecyrd.jspwiki.tags.AuthTag</tagclass>
<bodycontent>JSP</bodycontent>
<attribute>
<name>allow</name>
<required>false</required>
</attribute>
<attribute>
<name>deny</name>
<required>false</required>
</attribute>
</tag>
------------------------------------------------------------------------
[#1]The default in the code is to deny access to a page by default.
While the allow parameter is not /required/ it's a good idea to have it
in there, you can make a page that no user can see.
[#2]The site Administrator is still responsible for putting the user,
password and role(s) into the system.
Category Third Party Plugin
<http://localhost:8080/schucker/Wiki.jsp?page=CategoryThirdPartyPlugin>
