List Info

Thread: probelm with page view permission with container AA
probelm with page view permission with container AA
user name
 2006-07-24 13:37:11 
Note: i have posted this Que to security FAQ but no result
form there. i am stuck for 9 days. plz help: win2k, tomcat:
5.5.17, jspwiki version:  2.4.15
 why cannot i force a user not to view a page? unable to
restrict on pageview permission in container AA. 
    i have written in a page (page name: About): , in next
line  
    i have set a user roles as Asserted, Authenticated,
Anonymous, admin. i am retrieving users role from mysql
using jdbc realm and 
    i am using container managed Authentication and
Authorization. using security policy for tomcat and JAAS for
tomcat (as i understodd it is not important)
 
by adding jspwiki.policy to catalina.policy 
    this is the information in catalina.policy grant
signedBy "jspwiki",    principal
com.ecyrd.jspwiki.auth.authorize.Role
"Anonymous" {     permission
com.ecyrd.jspwiki.auth.permissions.PagePermission
"*",
"view";     permission
com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*", "login"; 
}; grant signedBy "jspwiki",   principal
com.ecyrd.jspwiki.auth.authorize.Role "Asserted"
{     permission
com.ecyrd.jspwiki.auth.permissions.PagePermission
"*",
"edit";     permission
com.ecyrd.jspwiki.auth.permissions.PagePermission
"*:Group*", "view";     permission
com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*", "createPages";     permission
com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*", "editProfile";     permission
com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*", "login"; }; 
    this is an example of web.xml of my wiki for container
AA and Asserted role who's user in mysql is user11 
<security-constraint>
        <web-resource-collection>
            <web-resource-name>Asserted
Area</web-resource-name>
            <url-pattern>/attach</url-pattern>
   <url-pattern>/Comment.jsp</url-pattern>
           
<url-pattern>/Login.jsp</url-pattern>
           
<url-pattern>/Upload.jsp</url-pattern>
            <http-method>DELETE</http-method>
   <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
   <auth-constraint>
              <role-name>Asserted</role-name>
         </auth-constraint>
    </security-constraint>
     
    _NOW THE PROBLEM IS_ if i try to see the page
"About" where is I had forced "ALLOW view
Authenticated" not to view this page from a user of
role Asserted
 but the user from that role Asserted can see that page. As
i know this is not possible. 
    do i have any problem in my configuration? how can I
solve this. i am stuck for one week. please help. 
thanks from red-cat

 		
---------------------------------
How low will we go? Check out Yahoo! Messenger’s low 
PC-to-Phone call rates.
_______________________________________________
Jspwiki-users mailing list
Jspwiki-usersecyrd.com
http://ecyrd.com/cgi-bin/mailman/listinfo/jspwiki-users
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )