%-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --%> <%@ taglib uri="/WEB-INF/jspwiki.tld" prefix="wiki" %> <%@ page import="java.security.Principal" %> <%@ page import="org.apache.log4j.*" %> <%@ page import="org.apache.wiki.*" %> <%@ page import="org.apache.wiki.auth.*" %> <%@ page errorPage="/Error.jsp" %> <%! public void jspInit() { wiki = WikiEngine.getInstance( getServletConfig() ); } Logger log = Logger.getLogger("JSPWiki"); WikiEngine wiki; SecurityVerifier verifier; %> <% WikiContext wikiContext = wiki.createContext( request, WikiContext.NONE ); if(!wikiContext.hasAccess( response )) return; response.setContentType("text/html; charset="+wiki.getContentEncoding() ); verifier = new SecurityVerifier( wiki, wikiContext.getWikiSession() ); // // This is a security feature, so we will turn it off unless the // user really wants to. // if( !TextUtil.isPositive(wiki.getWikiProperties().getProperty("jspwiki-x.securityconfig.enable")) ) { %>
JSPWiki SecurityConfig UI has been disabled. This page could reveal important security details about your configuration to a potential attacker, so it has been turned off by default. However, it is very easy to enable it by setting the following value
jspwiki-x.securityconfig.enable=true
in your jspwiki.properties file.
Once you are done with debugging your security configuration, please turn this page off again by removing the preceding line, so that your system is safe again.
Have a nice day. May the Force be with you.
This page examines JSPWiki's security configuration and tries to determine if it is working the way it should. Although JSPWiki comes configured with some reasonable default configuration settings out of the box, it's not always obvious what settings to change if you need to customize the security... and sooner or later, just about everyone does.
This page is dynamically generated by JSPWiki. It examines the authentication, authorization and security policy settings. When we think something looks funny, we'll try to communicate what the issue might be, and will make recommendations on how to fix the problem.
Please delete this JSP when you are finished troubleshooting your system.
This diagnostic data presented on this page do not represent a security risk
to your system per se, but they do provide a significant amount of
contextual information that could be useful to an attacker. This page is
currently unconstrained, which means that anyone can view it: nice people, mean people
and everyone in between. You have been warned. You can turn it off by setting
jspwiki-x.securityconfig.enable=false
in your jspwiki.properties.
I see that you've configured container-managed authentication. Very nice.
<% } else { %>Container-managed authentication appears to be disabled, according to your WEB-INF/web.xml
file.
JSPWiki wires up its own JAAS to define the authentication process, and does not rely on the JRE configuration. By default, JSPWiki configures its JAAS login stack to use the UserDatabaseLoginModule. You can specify a custom login module by setting the jspwiki.loginModule.class
property in jspwiki.properties
.
The JAAS login configuration is correctly configured if the jspwiki.loginModule.class
property specifies
a class we can find on the classpath. This class must also be a LoginModule implementation. We will check for both conditions.
I see that you've configured container-managed authorization. Very nice.
<% Principal[] roles = verifier.webContainerRoles(); if ( roles.length > 0 ) { %>Your WEB-INF/web.xml
file defines the following roles:
WEB-INF/web.xml
file does not define any roles. This is an error.Container-managed authorization appears to be disabled, according to your WEB-INF/web.xml
file.
JSPWiki's authorizes user actions by consulting a standard Java 2 security policy file. By default, JSPWiki installs its local security policy file at startup time. This policy file is independent of your global, JVM-wide security policy, if you have one. When checking for authorization, JSPWiki consults the global policy first, then the local policy.
Let's validate the local security policy file. To do this, we parse
the security policy and examine each grant
block. If we see
a permission
entry that is signed, we verify that the certificate
alias exists in our keystore. The keystore itself must also exist in the file system.
And as an additional check, we will try to load each Permission
class into memory to verify that JSPWiki's classloader can find them.
Note: JSPWiki's Policy file parser is stricter than the default parser that ships with the JVM. If you encounter parsing errors, make sure you have the correct comma and semicolon delimiters in your policy file grant
entries. The grant
blocks must follow this format:
grant signedBy "signer_names", codeBase "URL", principal principal_class_name "principal_name", principal principal_class_name "principal_name", ... { permission permission_class_name "target_name", "action"; permission permission_class_name "target_name", "action"; };
Note: JSPWiki versions prior to 2.4.6 accidentally omitted commas after the signedBy
entries, so you should fix this if you are using a policy file based on a version earlier than 2.4.6.
Now comes the really fun part. Using the current security policy, we will test the PagePermissions each JSPWiki role possesses for a range of pages. The roles we will test include the standard JSPWiki roles (Authenticated, All, etc.) plus any others you may have listed in the security policy. In addition to the PagePermissions, we will also test the WikiPermissions. The results of these tests should tell you what behaviors you can expect based on your security policy file. If we had problems finding, parsing or verifying the policy file, these tests will likely fail.
The colors in each cell show the results of the test. Green means success; red means failure. Hovering over a role name or individual cell will display more detailed information about the role or test.
<%=verifier.policyRoleTable()%>Edit.jsp
possess the container role "Admin," for example, this will override an "edit" PagePermission granted to role "Authenticated." See below.
<%
}
%>
Here is how your web container will control role-based access to some common JSPWiki actions and their assocated JSPs. These restrictions will be enforced even if your Java security policy is more permissive.
The colors in each cell show the results of the test. Green means success; red means failure.
<%=verifier.containerRoleTable()%>Note that your web container will allow access to these pages only if your container's authentication realm returns the roles
<%
Principal[] roles = verifier.webContainerRoles();
for( int i = 0; i < roles.length; i++ )
{
%> <%=(roles[i].getName() + (i<(roles.length-1)?",":""))%><%
}
%>
If your container's realm returns other role names, users won't be able to access the pages they should be allowed to see -- because the role names don't match. In that case, You should adjust the <role-name>
entries in web.xml
appropriately to match the role names returned by your container's authorization realm.
Now we are going to compare the roles listed in your security policy with those from your web.xml
file. The ones we care about are those that aren't built-in roles like "All", "Anonymous", "Authenticated" or "Asserted". If your policy shows roles other than these, we need to make sure your container knows about them, too. Container roles are defined in web.xml
in blocks such as these:
<security-role> <description> This logical role includes all administrative users </description> <role-name>Admin</role-name> </security-role>
The user database stores user profiles. It's pretty important that it functions properly. We will try to determine what your current UserDatabase implementation is, based on the current value of the jspwiki.userdatabase
property in your jspwiki.properties
file. In addition, once we establish that the UserDatabase has been initialized properly, we will try to add (then, delete) a random test user. If all of these things work they way they should, then you should have no problems with user self-registration.
The group database stores wiki groups. It's pretty important that it functions properly. We will try to determine what your current GroupDatabase implementation is, based on the current value of the jspwiki.groupdatabase
property in your jspwiki.properties
file. In addition, once we establish that the GroupDatabase has been initialized properly, we will try to add (then, delete) a random test group. If all of these things work they way they should, then you should have no problems with wiki group creation and editing.