This file contains the local security policy for JSPWiki and is located in the WEB-INF directory for the wiki instance.  It provides the permissions rules for the JSPWiki environment, and should be suitable for most purposes. JSPWiki will load this policy when the wiki webapp starts.  Policies are defined in blocks.  Lines may be commented out by placing two slashes {//) in front of the line.  The JSPWiki engine will control and recall settings by the use of [cookies|WIKI.COOKIES] on the client computer.

Wiki Security is primarily Role-based, although elements may be defined by User.  In addition, Wiki Groups may be defined to provide additional role type security.

As with all aspects of the Wiki, the names are case-sensitive.  Definition of users, groups, and the user-group relationship is handled through Wiki pages.   The permissions that these users, roles and groups have are defined in this file on the server by an administrator.

!!ROLES and GROUPS
There are four "Roles" that are created automatically by the Wiki engine, and can be used to control access to the Wiki content:
;Authenticated: A user who has signed in, and is authenticated by way of a [cookie|WIKI.COOKIES].
;Asserted: A user who had previously signed in (noted by the presence of the [cookie|WIKI.COOKIES], but the session has expired.
;Anonymous: Any user who is unknown, as there are no [cookies|WIKI.COOKIES] on the client computer
;All: The "All" role is special; it means "anybody, regardless of authentication status."  

In addition, the Wiki allows users to create groups, which can be used to provide security, for those users who are part of each group.  The Wiki is distributed with three groups:
;Admin:  Users who are associated to this group are given full capability against the wiki
;Editor: Users who are associated here have full access to create and edit pages in the wiki
;Employee: Users who are associated here may only have access to pages whose name starts with the string "Internal."

!!PERMISSIONS
Permissions are of four types:
* Wiki Permissions: Abstractly, this controls the permissions that the use might have for the whole wiki
* Page Permissions: This set of permissions allows control to all, or subsets of pages
* Group Permissions: This set op permissions controls what a user may do with regard to groups
* All Permission: This permission grants full access to the wiki, and is usually reserved for the administrator


!WIKI PERMISSIONS:
;login: The ability to log in as a wiki user
;editProfile: The ability change your profile 
;editPreferences: The ability to set or update your preferences
;createPages:
;createGroups: implies createPages as well

!PAGE PERMISSIONS:
;view: see the page
;comment: add a comment to the page (includes VIEW)
;edit: edit page (includes COMMENT)
;upload: Upload attachments
;modify: includes UPLOAD and EDIT
;rename: allows rename of page, includes UPLOAD
;delete: allows delete of page, includes MODIFY (not RENAME though) 

!GROUP PERMISSIONS:
;view     :
;edit     : implies view
;delete   : implies edit and view

!ALL PERMISSION
;AllPermission : implies full capability for group, Wiki and Page and no further validation is made


!!POLICY BLOCKS
Below is the policy file, modified as used in this Wiki, with discussion on each block of permissions

!Authorize.Role "All"
{{{
// ****    ALL USERS    ****
// All users can view all pages, can sign in, and edit preferences and profile

grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};
}}}

!Authorize.Role "Anonymous"
{{{
// **** ANONYMOUS USERS ****
// Anonymous users (not logged in, and no cookie to assert who they are) get no additional privileges

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};
}}}

!Authorize.Role "Asserted"
{{{
// **** ASSERTED USERS ****
// People who have a cookie, but have not logged in can also view the groups that they are part of

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
};
}}}

!Authorize.Role "Authenticated"
{{{
// ****    AUTHENTICATE USERS     ****
// People who have actually logged in, can view the groups they are part of.  All editing capabilities
// are defined at the group level - so nothing here by default.

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
};
}}}

!authorize.Role "Admin" / GroupPrincipal "Admin"
{{{
// ****    ADMINISTRATORS    ****
// People with the Group Admin have full permission on everything and can also edit/manipulate all groups

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};

grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "edit";
};
}}}

!auth.GroupPrincipal "Editor"
{{{
// ****    EDITORS    ****
//  People in the group Editor have full abilities on Pages and the ability to create pages in the wiki

grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Editor" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename,delete";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
};
}}}

!auth.GroupPrincipal "Employee"
{{{
// ****    EMPLOYEE    ****
// People in the group Employee have edit & comment abilities on Pages whose title starts with "Internal"
grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Employee" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Internal.*", "edit";
};
}}}
Note that those users who are tied to the Wiki Group '"Employee'' are able to edit pages, but only those that start with the word "Internal." in the title.

[{If var='loginstatus' contains 'authenticated'

----
![Discussion|Edit:Internal.JSPWIKI.POLICY]
[{InsertPage page='Internal.JSPWIKI.POLICY' default='Click to create a new discussion page'}]

}]