Hi everybody--- An experimental JSPWiki branch with the new AAA subsystem is nearing alpha status. Background ---------- Less than 60 days ago, a bunch of us in this fine list bashed out a set of requirements for a new system for authenticating and authorizing users. Although there are too many requirements to list here, some of the primary features include: - Continued support for JSPWiki's custom authentication system - Full support for container-based authentication and authorization, including container-style roles - Flexible, ad hoc "groups" - Wiki-based ACLs - Customizable security policies, with simple and sensible defaults - New user database for "persistent" user identities - Support for standard Java security technologies; notably, J2SE security policies and JAAS authentication Development needs ----------------- I need help getting the preceding list of requirements implemented... 2.7 Access restrictions on searches not implemented yet. 2.9 Hard-coded "super user" needs to be re-implemented and coded into AuthenticationManager. 3.3 Groups names are checked at creation time to make sure they aren't the same as a built-in role, but there should be logic in the JSP pages that tells the user they can't do that... 3.8-3.11 Requirements not implemented yet (these are "nice to have" features anyway) 4.10 Page restore operation restores previous ACL, not current ACL 6.9 Password re-set not implemented yet (nice-to-have) 7.1 Embedding permission checks within core wiki classes (e.g., WikiEngine) NOT implemented yet. Examples: - WikiPage.setAcl should check for 'edit' 7.5 Need to sanity-check configuration files (e.g., jspwiki.policy) to ensure they implement a common number of use cases that should "just work." 7.6 No user-facing documentation at the moment... Deployment considerations ------------------------- JSPWiki now installs default JAAS and J2SE security policies at startup. See the jspwiki.policy and jspwiki.jaas files for more details on how to customize these configurations if you don't like the defaults. Bugs, limitations and errata ---------------------------- - Need a CreateGroup.jsp page **badly** - Ant build script (build.xml) now automatically signs the jspwiki.jar file after it builds. It will attempt to create a new .jks key file for you if it can't find one where it expects (etc/). If will also copy this key file to WEB-INF when building the WAR. - There are some funky cookie/user profile issues that persist during logout operations. This could cause funnny things to happen when editing preferences or registering. This will get solved very soon... but not tonight. - Container-managed authentication has been tested and debugged. It works. - User preferences has been split into the traditional "master" JSP with the business logic, and a separate *Content.jsp file. - User registration now lives in a JSP separate from user preferences. The explanation for this is complex, but it boils down to the impossibility of guaranteeing session state (anonymous, asserted, authenticated). Since the UI is subtly different in all of these cases, it made sense to break the two functions apart. - UserCheck and UserProfile tags have significant enhancements that should make template-writing much easier, with a dramatic reduction in scriptlet code. - Changes to the AAA model ***will*** break your custom template's scriptlet code unless you change JSPs to use the new API calls, in particular AuthorizationManager.checkPermission(). A migration guide for template developers would be great! - Container-based authentication has been unit-tested but not system-tested, so it might not work. But it should... - Requirement 1.10 might not be practical. I didn't attempt to implement it. - Groups are implemented as wiki pages named Group* rather than as subpages of GroupConfiguration - UserPreferences.jsp needs a decent stylesheet... Requirements ------------