I created a page and put the following at the top
[{ALLOW view NOBODY}]
I then restart the server and try to access the page, it is
displayed.
I run the code through a debugger and it seems that
hasAllPermission is
always being evaluated to true. For some reason the code
thinks that I
have
"AllPermission". Even though I have commented out
all references to
"AllPermission"
in the jspwiki.policy file (see below)
Not sure where to look next - stepping through
hasAllPermission quickly
takes me
into the bowels of java.security classes.
Any ideas or things to check, or debugging to enable or
watch?
Thanks much.
P
// $Id: jspwiki.policy,v 1.1 2006/09/28 19:32:44 prenagha
Exp $
//
// This file contains the Java 2 security policy for
JSPWiki.
// It provides the permissions rules for the JSPWiki
// environment, and should be suitable for most
// purposes.
//
// If you are running your servlet container with a security
// policy already, you should simply append the contents
// of this file to it. Otherwise, you can use this as a
// stand-alone policy, even without running a security
manager.
//
// By default, JSPWiki will load this policy into your web
// container if it detects that no custom policies are being
// used. In most cases, this should work just fine.
//
// If you want to use your own policy file instead of this
default file,
// you will need to specify the location of the policy by
setting the
// JVM system property 'java.security.policy' in the command
line script
// you use to start your web container. The file location
should
// be the absolute path to the jspwiki.policy file. For
example:
//
// java -jar myservletcontainer.jar
-Djava.security.policy=/path-to/jspwiki.policy
//
// Some servlet containers make this very easy by looking
// for an environment variable and automatically appending
// the contents to the 'java' command. For example, Tomcat
// users just need to set the CATALINA_OPTS variable:
//
// export
CATALINA_OPTS="-Djava.security.policy=/path-to/jspwiki.
policy"
//
// In addition, it is typically good practice to store
jspwiki.policy
// in the Tomcat config directory (CATALINA_HOME/conf).
//
//
//
-----------------------------------------------------------
// And now, for the security policy
//
//
// JSPWiki signs its own JAR files so that the Java security
polcicy knows
how
// to resolve our custom Wiki/PagePermissions. The keystore
is specified
in the
// first line of the file, as shown below. If the path is
not fully
qualified,
// the JRE will assume it's in the same directory as this
policy file.
keystore "jspwiki.jks";
// JSPWiki itself needs some basic privileges in order to
operate.
// If you are running JSPWiki with a security manager, don't
change these,
// because it will totally b0rk the system.
grant signedBy "jspwiki" {
permission java.security.SecurityPermission
"getPolicy";
permission java.security.SecurityPermission
"setPolicy";
permission java.util.PropertyPermission
"java.security.auth.login.config",
"write";
permission java.util.PropertyPermission
"java.security.policy",
"read,write";
permission javax.security.auth.AuthPermission
"getLoginConfiguration";
permission javax.security.auth.AuthPermission
"setLoginConfiguration";
};
// Authenticated users can do most things: view, create,
edit and
// comment on all pages; upload files to existing ones;
create and edit
// wiki groups; and rename existing pages. Authenticated
users can
register
// with the wiki, edit their own profiles, and edit groups
they create.
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role
"Authenticated" {
permission
com.ecyrd.jspwiki.auth.permissions.PagePermission
"* ",
"modify,rename";
permission
com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*",
"view";
permission
com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*",
"createPages";
permission
com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*",
"editPreferences";
permission
com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*",
"editProfile";
permission
com.ecyrd.jspwiki.auth.permissions.WikiPermission
"*",
"login";
};
// Administrators (principals or roles possessing
AllPermission)
// are allowed to delete any page, and can edit, rename and
delete
// groups. You should match the permission target (here,
'JSPWiki')
// with the value of the 'jspwiki.applicationName' property
in
// jspwiki.properties. Two administative groups are set up
below:
// the wiki group "Admin" (stored by default in
wiki page GroupAdmin)
// and the container role "Admin" (managed by the
web container).
//grant signedBy "jspwiki",
// principal com.ecyrd.jspwiki.auth.GroupPrincipal
"Admin" {
// permission
com.ecyrd.jspwiki.auth.permissions.AllPermission
"userwiki";
//};
//grant signedBy "jspwiki",
// principal com.ecyrd.jspwiki.auth.authorize.Role
"CUSTSVC" {
// permission
com.ecyrd.jspwiki.auth.permissions.AllPermission
"userwiki";
//};
// For web app code
grant codeBase
"file:/home/prenagha/dev/userwiki/bin/run/config/userwi
ki/userwikiserver/.internal/-"
{
permission java.security.AllPermission;
};
grant codeBase
"file:/home/prenagha/dev/userwiki/bin/run/config/userwi
ki/userwikiserver/.wlnotdelete/-"
{
permission java.security.AllPermission;
};
// Weblogic code
grant codeBase
"file:/opt/java/bea/weblogic81/server/lib/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:/opt/java/bea/weblogic81/server/ext/-" {
permission java.security.AllPermission;
};
_______________________________________________
Jspwiki-users mailing list
Jspwiki-users ecyrd.com
http://ecyrd.com/cgi-bin/mailman/listinfo/jspwiki-users
|