// $Id: jspwiki.policy,v 1.20 2006-07-29 19:15:03 arj Exp $ // // This file contains the Java 2 security policy for JSPWiki. // It provides the permissions rules for the JSPWiki // environment, and should be suitable for most // purposes. // // If you are running your servlet container with a security // policy already, you should simply append the contents // of this file to it. Otherwise, you can use this as a // stand-alone policy, even without running a security manager. // // By default, JSPWiki will load this policy into your web // container if it detects that no custom policies are being // used. In most cases, this should work just fine. // // If you want to use your own policy file instead of this default file, // you will need to specify the location of the policy by setting the // JVM system property 'java.security.policy' in the command line script // you use to start your web container. The file location should // be the absolute path to the jspwiki.policy file. For example: // // java -jar myservletcontainer.jar -Djava.security.policy=/path-to/jspwiki.policy // // Some servlet containers make this very easy by looking // for an environment variable and automatically appending // the contents to the 'java' command. For example, Tomcat // users just need to set the CATALINA_OPTS variable: // // export CATALINA_OPTS="-Djava.security.policy=/path-to/jspwiki.policy" // // In addition, it is typically good practice to store jspwiki.policy // in the Tomcat config directory (CATALINA_HOME/conf). // // // ----------------------------------------------------------- // And now, for the security policy // // // JSPWiki signs its own JAR files so that the Java security polcicy knows how // to resolve our custom Wiki/PagePermissions. The keystore is specified in the // first line of the file, as shown below. If the path is not fully qualified, // the JRE will assume it's in the same directory as this policy file. keystore "jspwiki.jks"; // JSPWiki itself needs some basic privileges in order to operate. // If you are running JSPWiki with a security manager, don't change these, // because it will totally b0rk the system. grant signedBy "jspwiki" { permission java.security.SecurityPermission "getPolicy"; permission java.security.SecurityPermission "setPolicy"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "java.security.policy", "read,write"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; }; // The first policy block is extremely loose, and unsuited for public-facing wikis. // Anonymous users are allowed to view, create, edit and comment on all pages // (except group pages). Anonymous users can also register with the wiki; // to edit their profile after registration, they must log in. // // Note: For Internet-facing wikis, you are strongly advised to remove the // lines containing the "edit" and "createPages" permissions; this will make // the wiki read-only for anonymous users. grant signedBy "jspwiki", principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" { permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; }; // This next policy block is also pretty loose. It allows users who claim to // be someone (via their cookie) to view, create, edit and comment on all pages // (except group pages). Anonymous users can also register with the wiki; // to edit their profile after registration, they must log in. grant signedBy "jspwiki", principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" { permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit"; permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; }; // Authenticated users can do most things: view, create, edit and // comment on all pages; upload files to existing ones; create and edit // wiki groups; and rename existing pages. Authenticated users can register // with the wiki, edit their own profiles, and edit groups they create. grant signedBy "jspwiki", principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" { permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename"; permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:", "edit"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; }; // Administrators (principals or roles possessing AllPermission) // are allowed to delete any page, and can edit, rename and delete // groups. You should match the permission target (here, 'JSPWiki') // with the value of the 'jspwiki.applicationName' property in // jspwiki.properties. Two administative groups are set up below: // the wiki group "Admin" (stored by default in wiki page GroupAdmin) // and the container role "Admin" (managed by the web container). grant signedBy "jspwiki", principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" { permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki"; }; grant signedBy "jspwiki", principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" { permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki"; };