Feature/JSPWIKI-1176 and others, fix for container based auth with roles #449
+51
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JSPWIKI-1249 potential fix JSPWIKI-841 potential fix
JSPWIKI-1249 potential fix JSPWIKI-841 potential fix
…176-attempt2 # Conflicts: # jspwiki-main/src/main/resources/ini/jspwiki.properties
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Covers the following issues
I have an IT test for this but it does not align with the current "IT" module configuration (need number of tomcat conf changes and that doesn't appear to be supported from the current setup).
The notes for testing/validating this...
To make container based authentication work, you need the following
jspwiki-custom.properties
jspwiki.loginModule.class = org.apache.wiki.auth.login.WebContainerLoginModule
And then in jspwiki/WEB-INF/web.xml
change the login configuration to whatever you need, HTTP_BASIC, HTTP_DIGEST or CLIENT-CERT, etc
or if you get your permissions/roles from elsewhere i.e. a servlet filter, reverse proxy/keycloak auth, etc, do what you need to do
AND you need at least one of the following
Option A - assuming your desired role names for the wiki admin and user roles/groups is different than the default.
And then in jspwiki/WEB-INF/web.xml
edit the roles for admin/authenticated users as needed to match your setup
AND
in jspwiki.policy
find and replace "Admin" and "Authenticated" with your desired role for admin level users or regular users
Option B - use the new aliasing mechanism
leave web.xml and the policy file as is (with regards to roles) and then alias the roles using the following (or alter as described above) then
edit jspwiki-custom.properties
jspwiki.role.admin=wikiadmin
jspwiki.role.authenticated=wikiuser
whereby wikiadmin is the group/role you want for admin users and wikiuser is the group/role you want for all authenticated users.
In addition, if you have extra roles defined somewhere that for some reason, are not practical to put in web.xml, or maybe web.xml is read only, you can tell jspwiki about them via
jspwiki-custom.properties
jspwiki.role.extraRoles=role1,role2,
This use case is primarily for page level permissions enforcement... i.e.
[ALLOW edit role1]
[ALLOW view role1]
etc.
Whereby those roles aren't mentioned anywhere in the web.xml or policy file but are provided from outside of jspwiki (i.e. container based auth). Unfortunately i was unable to make this dynamic due to a number of technical issues, namely the design of internal APIs prohibit this.