Feature/JSPWIKI-1176 and others, fix for container based auth with roles

jspwiki-main/src/main/java/org/apache/wiki/WikiSession.java

@@ -41,6 +41,7 @@ Licensed to the Apache Software Foundation (ASF) under one
 import javax.security.auth.Subject;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpSession;
+import java.net.http.HttpRequest;
 import java.security.Principal;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -220,8 +221,9 @@ public Principal[] getRoles() {
         roles.addAll( m_subject.getPrincipals( Role.class ) );
 
         // Add all the GroupPrincipals possessed by the Subject directly
-        roles.addAll( m_subject.getPrincipals( GroupPrincipal.class ) );
-
+        roles.addAll(m_subject.getPrincipals(GroupPrincipal.class));
+
+
         // Return a defensive copy
         final Principal[] roleArray = roles.toArray( new Principal[0] );
         Arrays.sort( roleArray, WikiPrincipal.COMPARATOR );
@@ -494,6 +496,17 @@ public static Session getWikiSession( final Engine engine, final HttpServletRequ
         // Attach reference to wiki engine
         wikiSession.m_engine = engine;
         wikiSession.m_cachedLocale = request.getLocale();
+
+        String v = engine.getWikiProperties().getProperty("jspwiki.role.extraRoles", null);
+        if (v != null) {
+            String[] extraRoles = v.split("\\,");
+            for (String s : extraRoles) {
+                if (request.isUserInRole(s)) {
+                    wikiSession.m_subject.getPrincipals().add(new GroupPrincipal(s));
+                }
+            }
+        }
+
         return wikiSession;
     }
 

jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthenticationManager.java

@@ -416,12 +416,35 @@ private void injectAuthorizerRoles( final Session session, final Authorizer auth
             // If web authorizer, test the request.isInRole() method also
             } else if ( request != null && authorizer instanceof WebAuthorizer ) {
                 final WebAuthorizer wa = ( WebAuthorizer )authorizer;
+                addRoles( request, "jspwiki.role.admin", "Admin",session);
+                addRoles( request, "jspwiki.role.authenticated", "Authenticated",session);
+                addRoles( request, "jspwiki.role.extraRoles", null,session);
                 if ( wa.isUserInRole( request, role ) ) {
                     fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, role, session, request );
                     LOG.debug( "Added container role {}.",role.getName() );
                 }
             }
         }
     }
+
+    private void addRoles(HttpServletRequest request, String configProp, String jspWikiRole, Session session) {
+        if (m_engine.getWikiProperties().containsKey(configProp)) {
+            String roles = m_engine.getWikiProperties().getProperty(configProp);
+            if (roles != null) {
+                String[] parts = roles.split("\\,");
+                for (String s : parts) {
+                    if (request.isUserInRole(s)) {
+                        WikiPrincipal wikiPrincipal = new WikiPrincipal(s);
+                        fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, wikiPrincipal, session );
+                        if (jspWikiRole != null) {
+                            WikiPrincipal wikiPrincipal1 = new WikiPrincipal(jspWikiRole);
+                            fireEvent( WikiSecurityEvent.PRINCIPAL_ADD, wikiPrincipal1, session );
+                        }
+                    }
+                }
+            }
+
+        }
+    }
 
 }

jspwiki-main/src/main/resources/ini/jspwiki.properties

@@ -1137,6 +1137,19 @@ jspwiki.credentials.repeatingCharacters=1
 # when changing a password, at least this number of characters must be different
 jspwiki.credentials.minChanged=1
 
+# externally defined role mappings
+# added in v3.0.0
+# if your logins are backed by LDAP or some other external source you can map
+# external roles to internally defined JSP wiki groups/roles (or just use them as is)
+
+# jspwiki.role.admin=LdapAdministrators
+# jspwiki.role.authenticated=Authenticated
+
+# extra roles
+# if you need additional roles that are not defined in jspwiki's web.xml but are important
+# for page access controls, etc, you can attach them here, comma separated.
+# jspwiki.role.extraRoles=
+
 # Added in v3.0.0 Audit Logging alerting
 # true to enable the audit logger, false otherwise
 audit.enabled=true