WIKI-Security Policy


JSPWiki decides whether to allow a Resource Action by consulting two sources of information:
  • WIKI-ACLs (Page access control lists) - per-page markup defining access restrictions
  • jspwiki.policy - a predefined set of privileges for each type of user

WIKI-Security Policy Hierarchy#


To make it easy for users to quickly get productive, JSPWiki ships with a fairly loose default policy out of the box:

Permission Anonymous Users Asserted Users Authenticated Users Admin group Implied Permission
VIEW all pages x x x x
EDIT all pages x x x x VIEW
UPLOAD attachments to all pages x x
MODIFY all pages x x EDIT
COMMENT on all existing pages x x x xVIEW
CREATE new pages x x x x
RENAME all pages x x EDIT
DELETE all pages xEDIT
VIEW all WIKI-Groups x x x
EDIT all WIKI-Groups x x
RENAME all WIKI-Groups x x
DELETE all WIKI-Groups x
CREATE new WIKI-Groups x x
CREATE WIKI-Profile x x x x
EDIT user preferences x x
EDIT WIKI-Profile x x

These privileges are the defaults. For page actions such as viewing, editing, and commenting, the privileges can be restricted further by adding an WIKI-ACLs to particular pages. It is important to note that WIKI-ACLs cannot elevate privileges above those already granted by the WIKI-Security Policy. For example, if the policy states that Anonymous users can read all pages (but not edit), an ACL on page Main that attempts to grant the Edit privilege to Anonymous will not work.

JSPWiki uses the standard Java 2 security policy APIs under the covers. Default permissions are granted using standard local security policy file syntax. When JSPWiki starts up, it loads the default policy file (stored in WEB-INF/jspwiki.policy). The "local policy" that is always read from WEB-INF/jspwiki.policy. The local WIKI-Security Policy will supplement the JVM-wide policy.

JSPWiki's default policy is suitable for a small team. It is probably too loose for a corporate intranet or public wiki.

More Information#

There might be more information for this subject on one of the following: