JSPWIKI.POLICY
Back to current versionRestore this version

This file contains the local security policy for JSPWiki and is located in the WEB-INF directory for the wiki instance. It provides the permissions rules for the JSPWiki environment, and should be suitable for most purposes. JSPWiki will load this policy when the wiki webapp starts. Policies are defined in blocks. Lines may be commented out by placing two slashes {//) in front of the line. The JSPWiki engine will control and recall settings by the use of cookies on the client computer.

Wiki Security is primarily Role-based, although elements may be defined by User. In addition, Wiki Groups may be defined to provide additional role type security.

As with all aspects of the Wiki, the names are case-sensitive. Definition of users, groups, and the user-group relationship is handled through Wiki pages. The permissions that these users, roles and groups have are defined in this file on the server by an administrator.

ROLES and GROUPS#

There are four "Roles" that are created automatically by the Wiki engine, and can be used to control access to the Wiki content:
Authenticated
A user who has signed in, and is authenticated by way of a cookie.
Asserted
A user who had previously signed in (noted by the presence of the cookie, but the session has expired.
Anonymous
Any user who is unknown, as there are no cookies on the client computer
All
The "All" role is special; it means "anybody, regardless of authentication status."

In addition, the Wiki allows users to create groups, which can be used to provide security, for those users who are part of each group. The Wiki is distributed with three groups:

Admin
Users who are associated to this group are given full capability against the wiki
Editor
Users who are associated here have full access to create and edit pages in the wiki
Employee
Users who are associated here may only have access to pages whose name starts with the string "Internal."

PERMISSIONS#

Permissions are of four types:

WIKI PERMISSIONS:#

login
The ability to log in as a wiki user
editProfile
The ability change your profile
editPreferences
The ability to set or update your preferences
createPages
createGroups
implies createPages as well

PAGE PERMISSIONS:#

view
see the page
comment
add a comment to the page (includes VIEW)
edit
edit page (includes COMMENT)
upload
Upload attachments
modify
includes UPLOAD and EDIT
rename
allows rename of page, includes UPLOAD
delete
allows delete of page, includes MODIFY (not RENAME though)

GROUP PERMISSIONS:#

view
edit
implies view
delete
implies edit and view

ALL PERMISSION#

AllPermission
implies full capability for group, Wiki and Page and no further validation is made

POLICY BLOCKS#

Below is the policy file, modified as used in this Wiki, with discussion on each block of permissions

Authorize.Role "All"#

// ****    ALL USERS    ****
// All users can view all pages, can sign in, and edit preferences and profile

grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login";
};

Authorize.Role "Anonymous"#

// **** ANONYMOUS USERS ****
// Anonymous users (not logged in, and no cookie to assert who they are) get no additional privileges

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};

Authorize.Role "Asserted"#

// **** ASSERTED USERS ****
// People who have a cookie, but have not logged in can also view the groups that they are part of

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
};

Authorize.Role "Authenticated"#

// ****    AUTHENTICATE USERS     ****
// People who have actually logged in, can view the groups they are part of.  All editing capabilities
// are defined at the group level - so nothing here by default.

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
};

authorize.Role "Admin" / GroupPrincipal "Admin"#

// ****    ADMINISTRATORS    ****
// People with the Group Admin have full permission on everything and can also edit/manipulate all groups

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};

grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "edit";
};

auth.GroupPrincipal "Editor"#

// ****    EDITORS    ****
//  People in the group Editor have full abilities on Pages and the ability to create pages in the wiki

grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Editor" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename,delete";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
};

auth.GroupPrincipal "Employee"#

// ****    EMPLOYEE    ****
// People in the group Employee have edit & comment abilities on Pages whose title starts with "Internal"
grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Employee" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:Internal.*", "edit";
};
Note that those users who are tied to the Wiki Group '"Employee are able to edit pages, but only those that start with the word "Internal." in the title.

Screen captures are meant to be indicative of the concept being presented and may not reflect the current screen design.
If you have any comments or questions please email the Wiki Editor

All content © High Line Corporation