LDAPWiki: WIKI-Roles

Overview#

The default jspwiki.authorizer, uses the servlet container's authorization service for to check what WIKI-Roles the user belongs by calling HttpServletRequest.isUserInRole(String)).

"Built-in" WIKI-Roles#

The "Built-in" WIKI-Roles:

ALL - Anyone in any state of authentication.
AUTHENTICATED - User logged in with via the WebContainerAuthorizer.
ANONYMOUS - User not logged in, and has not supplied a cookie.
ASSERTED - User's browser contains a cookie called JSPWikiAssertedName.

These "Built-in" WIKI-Roles are related to the user's current authentication state, and are assigned by JSPWiki as part of the "jspwiki.authorizer" authentication system and can will be ignored if supplied by the Web Container.

The default jspwiki.authorizer, uses the servlet container's authorization service for to check what roles the user belongs by calling HttpServletRequest.isUserInRole(String)).

WIKI-Roles are maintained outside of JSPWiki by the web container. The JNDIRealm, for example, is a container-managed realm that supplies roles that JSPWiki can use. For JSPWiki to use them, they must be declared in the JSPWiki web.xml file, typically using the <security-role>/<role-name> or <auth-constraint>/<role-name> elements.

When JSPWiki starts parses web.xml and caches the set of WIKI-Roles that are declared there.

Available WIKI-Roles are determined only at JSPWiki startup.

When the user authenticates, the default "jspwiki.authorizer" checks to see if the user belongs to the cached roles and if so, the user is regarded as "belonging" to that role.

Which WIKI-Roles a WIKI-Profile belongs to is determined only when the user Authenticates.

default "jspwiki.authorizer"#

When users create or save their WIKI-Profile, they are persisted to a permanent storage area called a UserDatabase. Using the default UserDatabase the user WIKI-Profile is saved to an XML file in the JSPWiki WEB-INF directory to the file userdatabase.xml. Each user profile is a separate <user> entry. Passwords are hashed using SHA-1. Atypical entry is shown below.

<user uid="a822f0ca-489f-47f8-a8a7-50eaa64a14c3" loginName="loginname" wikiName="wikiname" fullName="Full Name" email="emailname@willeke.com" password="{SSHA}notrealhashoow56VQwYzIN3tgawweHdypl8R+Pg==" created="2014.07.26 at 09:56:03:770 UTC" lastModified="2014.07.26 at 09:56:03:770 UTC" lockExpiry="" >
</user>

Additional Web Container Managed WIKI-Roles#

When using a non-default WebContainerAuthorizer, additional WIKI-Roles could be defined. As an example, a "FAMILY" Role could be defined. Defined implies it is defined within:

WebContainerAuthorizer
JSPWiki's web.xml

Then any page could use a WIKI-ACLs and reference "FAMILY".

Web Container Managed WIKI-Roles will be ignored if they conflict with the "Built-in" WIKI-Roles.

jspwiki.authorizer#

You could use any Authorizer if you wish; specify that class in the properties file as "jspwiki.authorizer".

JSPWiki can store profiles in any JDBC-compliant database. Like the XML user database, it plugs in transparently into the authentication subsystem. This means you can authenticate users and store profiles using a database. You can also share the user database with your web container.

JSPWiki Roles and Groups #

Some thoughts about when to use JSPWiki Roles and Groups

More Information#

There might be more information for this subject on one of the following: