From 5423cb6c0305d7fd7cf47105ccb4a3962f2df0c6 Mon Sep 17 00:00:00 2001 From: Alex O'Ree Date: Wed, 26 Nov 2025 10:28:09 -0500 Subject: [PATCH 1/2] JSPWIKI-1176 potential fix JSPWIKI-1249 potential fix JSPWIKI-841 potential fix --- .../java/org/apache/wiki/WikiSession.java | 26 +++++++++++++++++-- .../auth/DefaultAuthenticationManager.java | 23 ++++++++++++++++ .../src/main/resources/ini/jspwiki.properties | 12 +++++++++ 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java b/jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java index d14fe3de5b..55bdc8d29b 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java @@ -41,6 +41,7 @@ Licensed to the Apache Software Foundation (ASF) under one import javax.security.auth.Subject; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpSession; +import java.net.http.HttpRequest; import java.security.Principal; import java.util.Arrays; import java.util.HashSet; @@ -220,8 +221,18 @@ public Principal[] getRoles() { roles.addAll( m_subject.getPrincipals( Role.class ) ); // Add all the GroupPrincipals possessed by the Subject directly - roles.addAll( m_subject.getPrincipals( GroupPrincipal.class ) ); - + roles.addAll(m_subject.getPrincipals(GroupPrincipal.class)); + if (httpSesssion != null) { + String v = m_engine.getWikiProperties().getProperty("jspwiki.role.extraRoles", null); + if (v != null) { + String[] extraRoles = v.split("\\,"); + for (String s : extraRoles) { + if (httpSesssion.isUserInRole(s)) { + roles.add(new GroupPrincipal(s)); + } + } + } + } // Return a defensive copy final Principal[] roleArray = roles.toArray( new Principal[0] ); Arrays.sort( roleArray, WikiPrincipal.COMPARATOR ); @@ -570,5 +581,16 @@ public static Principal[] userPrincipals( final Engine engine ) { final SessionMonitor monitor = SessionMonitor.getInstance( engine ); return monitor.userPrincipals(); } + private HttpServletRequest httpSesssion = null; + + + @Override + public void setHttpRequestContext(HttpServletRequest session) { + this.httpSesssion = session; + } + @Override + public HttpServletRequest getHttpRequestContext() { + return httpSesssion; + } } diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthenticationManager.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthenticationManager.java index 2f11117fd8..69f1d9851e 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthenticationManager.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthenticationManager.java @@ -413,6 +413,9 @@ private void injectAuthorizerRoles( final Session session, final Authorizer auth // If web authorizer, test the request.isInRole() method also } else if ( request != null && authorizer instanceof WebAuthorizer ) { final WebAuthorizer wa = ( WebAuthorizer )authorizer; + addRoles( request, "jspwiki.role.admin", "Admin",session); + addRoles( request, "jspwiki.role.authenticated", "Authenticated",session); + addRoles( request, "jspwiki.role.extraRoles", null,session); if ( wa.isUserInRole( request, role ) ) { fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, role, session, request ); LOG.debug( "Added container role {}.",role.getName() ); @@ -420,5 +423,25 @@ private void injectAuthorizerRoles( final Session session, final Authorizer auth } } } + + private void addRoles(HttpServletRequest request, String configProp, String jspWikiRole, Session session) { + if (m_engine.getWikiProperties().containsKey(configProp)) { + String roles = m_engine.getWikiProperties().getProperty(configProp); + if (roles != null) { + String[] parts = roles.split("\\,"); + for (String s : parts) { + if (request.isUserInRole(s)) { + WikiPrincipal wikiPrincipal = new WikiPrincipal(s); + fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, wikiPrincipal, session ); + if (jspWikiRole != null) { + WikiPrincipal wikiPrincipal1 = new WikiPrincipal(jspWikiRole); + fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, wikiPrincipal1, session ); + } + } + } + } + + } + } } diff --git a/jspwiki-main/src/main/resources/ini/jspwiki.properties b/jspwiki-main/src/main/resources/ini/jspwiki.properties index 1f668dd33d..7bdb83c713 100644 --- a/jspwiki-main/src/main/resources/ini/jspwiki.properties +++ b/jspwiki-main/src/main/resources/ini/jspwiki.properties @@ -1135,6 +1135,18 @@ jspwiki.credentials.minSymbols=1 # i.e. 1 with "password" is ok but "passsword" is not jspwiki.credentials.repeatingCharacters=1 +# externally defined role mappings +# added in v3.0.0 +# if your logins are backed by LDAP or some other external source you can map +# external roles to internally defined JSP wiki groups/roles (or just use them as is) + +# jspwiki.role.admin=LdapAdministrators +# jspwiki.role.authenticated=Authenticated + +# extra roles +# if you need additional roles that are not defined in jspwiki's web.xml but are important +# for page access controls, etc, you can attach them here, comma separated. +# jspwiki.role.extraRoles= # Added in v3.0.0 Audit Logging alerting # true to enable the audit logger, false otherwise From 3498eda383aeb735f0a4d51daf9619f40d263bfa Mon Sep 17 00:00:00 2001 From: Alex O'Ree Date: Wed, 26 Nov 2025 11:00:13 -0500 Subject: [PATCH 2/2] JSPWIKI-1176 potential fix JSPWIKI-1249 potential fix JSPWIKI-841 potential fix --- .../java/org/apache/wiki/WikiSession.java | 35 +++++++------------ 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java b/jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java index 55bdc8d29b..c409461180 100644 --- a/jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java +++ b/jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java @@ -222,17 +222,8 @@ public Principal[] getRoles() { // Add all the GroupPrincipals possessed by the Subject directly roles.addAll(m_subject.getPrincipals(GroupPrincipal.class)); - if (httpSesssion != null) { - String v = m_engine.getWikiProperties().getProperty("jspwiki.role.extraRoles", null); - if (v != null) { - String[] extraRoles = v.split("\\,"); - for (String s : extraRoles) { - if (httpSesssion.isUserInRole(s)) { - roles.add(new GroupPrincipal(s)); - } - } - } - } + + // Return a defensive copy final Principal[] roleArray = roles.toArray( new Principal[0] ); Arrays.sort( roleArray, WikiPrincipal.COMPARATOR ); @@ -505,6 +496,17 @@ public static Session getWikiSession( final Engine engine, final HttpServletRequ // Attach reference to wiki engine wikiSession.m_engine = engine; wikiSession.m_cachedLocale = request.getLocale(); + + String v = engine.getWikiProperties().getProperty("jspwiki.role.extraRoles", null); + if (v != null) { + String[] extraRoles = v.split("\\,"); + for (String s : extraRoles) { + if (request.isUserInRole(s)) { + wikiSession.m_subject.getPrincipals().add(new GroupPrincipal(s)); + } + } + } + return wikiSession; } @@ -581,16 +583,5 @@ public static Principal[] userPrincipals( final Engine engine ) { final SessionMonitor monitor = SessionMonitor.getInstance( engine ); return monitor.userPrincipals(); } - private HttpServletRequest httpSesssion = null; - - - @Override - public void setHttpRequestContext(HttpServletRequest session) { - this.httpSesssion = session; - } - @Override - public HttpServletRequest getHttpRequestContext() { - return httpSesssion; - } }