Overview#JSPWiki decides whether to allow a Resource Action by consulting two sources of information:
- WIKI-ACLs (Page access control lists) - per-page markup defining access restrictions
- jspwiki.policy - a predefined set of privileges for each type of user
WIKI-Security Policy Hierarchy#
To make it easy for users to quickly get productive, JSPWiki ships with a fairly loose default policy out of the box:
|Permission||Anonymous Users||Asserted Users||Authenticated Users||Admin group||Implied Permission|
|VIEW all pages||x||x||x||x|
|EDIT all pages||x||x||x||x|| VIEW|
|UPLOAD attachments to all pages||x||x|
|MODIFY all pages||x||x|| EDIT|
|COMMENT on all existing pages||x||x||x||x||VIEW|
|CREATE new pages||x||x||x||x|
|RENAME all pages||x||x||EDIT|
|DELETE all pages||x||EDIT|
|VIEW all WIKI-Groups||x||x||x|
|EDIT all WIKI-Groups||x||x|
|RENAME all WIKI-Groups||x||x|
|DELETE all WIKI-Groups||x|
|CREATE new WIKI-Groups||x||x|
|EDIT user preferences||x||x|
These privileges are the defaults. For page actions such as viewing, editing, and commenting, the privileges can be restricted further by adding an WIKI-ACLs to particular pages. It is important to note that WIKI-ACLs cannot elevate privileges above those already granted by the WIKI-Security Policy. For example, if the policy states that Anonymous users can read all pages (but not edit), an ACL on page Main that attempts to grant the Edit privilege to Anonymous will not work.
JSPWiki uses the standard Java 2 security policy APIs under the covers. Default permissions are granted using standard local security policy file syntax. When JSPWiki starts up, it loads the default policy file (stored in WEB-INF/jspwiki.policy). The "local policy" that is always read from WEB-INF/jspwiki.policy. The local WIKI-Security Policy will supplement the JVM-wide policy.
JSPWiki's default policy is suitable for a small team. It is probably too loose for a corporate intranet or public wiki.