This file contains the local security policy for JSPWiki and is located in the WEB-INF directory for the wiki instance. It provides the permissions rules for the JSPWiki environment, and should be suitable for most purposes. JSPWiki will load this policy when the wiki webapp starts. Policies are defined in blocks. Lines may be commented out by placing two slashes {//) in front of the line. The JSPWiki engine will control and recall settings by the use of cookies on the client computer.
Wiki Security is primarily Role-based, although elements may be defined by User. In addition, Wiki Groups may be defined to provide additional role type security.
As with all aspects of the Wiki, the names are case-sensitive. Definition of users, groups, and the user-group relationship is handled through Wiki pages. The permissions that these users, roles and groups have are defined in this file on the server by an administrator.
ROLES and GROUPS#
There are four "Roles" that are created automatically by the Wiki engine, and can be used to control access to the Wiki content:- Authenticated
- A user who has signed in, and is authenticated by way of a cookie.
- Asserted
- A user who had previously signed in (noted by the presence of the cookie, but the session has expired.
- Anonymous
- Any user who is unknown, as there are no cookies on the client computer
- All
- The "All" role is special; it means "anybody, regardless of authentication status."
In addition, the Wiki allows users to create groups, which can be used to provide security, for those users who are part of each group. The Wiki is distributed with three groups:
- Admin
- Users who are associated to this group are given full capability against the wiki
- Editor
- Users who are associated here have full access to create and edit pages in the wiki
- Employee
- Users who are associated here may only have access to pages whose name starts with the string "Internal."
PERMISSIONS#
Permissions are of four types:- Wiki Permissions: Abstractly, this controls the permissions that the use might have for the whole wiki
- Page Permissions: This set of permissions allows control to all, or subsets of pages
- Group Permissions: This set op permissions controls what a user may do with regard to groups
- All Permission: This permission grants full access to the wiki, and is usually reserved for the administrator
WIKI PERMISSIONS:#
- login
- The ability to log in as a wiki user
- editProfile
- The ability change your profile
- editPreferences
- The ability to set or update your preferences
- createPages
- createGroups
- implies createPages as well
PAGE PERMISSIONS:#
- view
- see the page
- comment
- add a comment to the page (includes VIEW)
- edit
- edit page (includes COMMENT)
- upload
- Upload attachments
- modify
- includes UPLOAD and EDIT
- rename
- allows rename of page, includes UPLOAD
- delete
- allows delete of page, includes MODIFY (not RENAME though)
GROUP PERMISSIONS:#
- view
- edit
- implies view
- delete
- implies edit and view
ALL PERMISSION#
- AllPermission
- implies full capability for group, Wiki and Page and no further validation is made
POLICY BLOCKS#
Below is the policy file, modified as used in this Wiki, with discussion on each block of permissionsAuthorize.Role "All"#
// **** ALL USERS ****
// All users can view all pages, can sign in, and edit preferences and profile
grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};
Authorize.Role "Anonymous"#
// **** ANONYMOUS USERS ****
// Anonymous users (not logged in, and no cookie to assert who they are) get no additional privileges
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};
Authorize.Role "Asserted"#
// **** ASSERTED USERS ****
// People who have a cookie, but have not logged in chave no additional capabilities, either
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
};
Authorize.Role "Authenticated"#
// **** AUTHENTICATE USERS ****
// People who have actually logged in, can edit and create pages that begin with "Internal."
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Internal.*", "edit";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
};
authorize.Role "Admin" / GroupPrincipal "Admin"#
// **** ADMINISTRATORS ****
// People with the Group Admin have full permission on everything and can also edit/manipulate all groups
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "edit";
};
