JSPWIKI.POLICY

This file contains the local security policy for JSPWiki and is located in the WEB-INF directory for the wiki instance. It provides the permissions rules for the JSPWiki environment, and should be suitable for most purposes. JSPWiki will load this policy when the wiki webapp starts. Policies are defined in blocks. Lines may be commented out by placing two slashes {//) in front of the line. The JSPWiki engine will control and recall settings by the use of cookies on the client computer.

Wiki Security is primarily Role-based, although elements may be defined by User. In addition, Wiki Groups may be defined to provide additional role type security.

As with all aspects of the Wiki, the names are case-sensitive. Definition of users, groups, and the user-group relationship is handled through Wiki pages. The permissions that these users, roles and groups have are defined in this file on the server by an administrator.

ROLES and GROUPS#

There are four "Roles" that are created automatically by the Wiki engine, and can be used to control access to the Wiki content:
Authenticated
A user who has signed in, and is authenticated by way of a cookie.
Asserted
A user who had previously signed in (noted by the presence of the cookie, but the session has expired.
Anonymous
Any user who is unknown, as there are no cookies on the client computer
All
The "All" role is special; it means "anybody, regardless of authentication status."

In addition, the Wiki allows users to create groups, which can be used to provide security, for those users who are part of each group. The Wiki is distributed with three groups:

Admin
Users who are associated to this group are given full capability against the wiki
Editor
Users who are associated here have full access to create and edit pages in the wiki
Employee
Users who are associated here may only have access to pages whose name starts with the string "Internal."

PERMISSIONS#

Permissions are of four types:

WIKI PERMISSIONS:#

login
The ability to log in as a wiki user
editProfile
The ability change your profile
editPreferences
The ability to set or update your preferences
createPages
createGroups
implies createPages as well

PAGE PERMISSIONS:#

view
see the page
comment
add a comment to the page (includes VIEW)
edit
edit page (includes COMMENT)
upload
Upload attachments
modify
includes UPLOAD and EDIT
rename
allows rename of page, includes UPLOAD
delete
allows delete of page, includes MODIFY (not RENAME though)

GROUP PERMISSIONS:#

view
edit
implies view
delete
implies edit and view

ALL PERMISSION#

AllPermission
implies full capability for group, Wiki and Page and no further validation is made

POLICY BLOCKS#

Below is the policy file, modified as used in this Wiki, with discussion on each block of permissions

Authorize.Role "All"#

// ****    ALL USERS    ****
// All users can view all pages, can sign in, and edit preferences and profile

grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

Authorize.Role "Anonymous"#

// **** ANONYMOUS USERS ****
// Anonymous users (not logged in, and no cookie to assert who they are) get no additional privileges

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};

Authorize.Role "Asserted"#

// **** ASSERTED USERS ****
// People who have a cookie, but have not logged in chave no additional capabilities, either

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
};

Authorize.Role "Authenticated"#

// ****    AUTHENTICATE USERS     ****
// People who have actually logged in, can edit and create pages that begin with "Internal."

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
	permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Internal.*", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
};

authorize.Role "Admin" / GroupPrincipal "Admin"#

// ****    ADMINISTRATORS    ****
// People with the Group Admin have full permission on everything and can also edit/manipulate all groups

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};

grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "edit";
};


Notes#

Click to create a new notes page