| // $Id: jspwiki.policy,v 1.20 2006-07-29 19:15:03 arj Exp $ |
| // |
| // This file contains the Java 2 security policy for JSPWiki. |
| // It provides the permissions rules for the JSPWiki |
| // environment, and should be suitable for most |
| // purposes. |
| // |
| // If you are running your servlet container with a security |
| // policy already, you should simply append the contents |
| // of this file to it. Otherwise, you can use this as a |
| // stand-alone policy, even without running a security manager. |
| // |
| // By default, JSPWiki will load this policy into your web |
| // container if it detects that no custom policies are being |
| // used. In most cases, this should work just fine. |
| // |
| // If you want to use your own policy file instead of this default file, |
| // you will need to specify the location of the policy by setting the |
| // JVM system property 'java.security.policy' in the command line script |
| // you use to start your web container. The file location should |
| // be the absolute path to the jspwiki.policy file. For example: |
| // |
| // java -jar myservletcontainer.jar -Djava.security.policy=/path-to/jspwiki.policy |
| // |
| // Some servlet containers make this very easy by looking |
| // for an environment variable and automatically appending |
| // the contents to the 'java' command. For example, Tomcat |
| // users just need to set the CATALINA_OPTS variable: |
| // |
| // export CATALINA_OPTS="-Djava.security.policy=/path-to/jspwiki.policy" |
| // |
| // In addition, it is typically good practice to store jspwiki.policy |
| // in the Tomcat config directory (CATALINA_HOME/conf). |
| // |
| // |
| // ----------------------------------------------------------- |
| // And now, for the security policy |
| // |
| // |
| // JSPWiki signs its own JAR files so that the Java security polcicy knows how |
| // to resolve our custom Wiki/PagePermissions. The keystore is specified in the |
| // first line of the file, as shown below. If the path is not fully qualified, |
| // the JRE will assume it's in the same directory as this policy file. |
| |
| keystore "jspwiki.jks"; |
| |
| // JSPWiki itself needs some basic privileges in order to operate. |
| // If you are running JSPWiki with a security manager, don't change these, |
| // because it will totally b0rk the system. |
| |
| grant signedBy "jspwiki" { |
| permission java.security.SecurityPermission "getPolicy"; |
| permission java.security.SecurityPermission "setPolicy"; |
| permission java.util.PropertyPermission "java.security.auth.login.config", "write"; |
| permission java.util.PropertyPermission "java.security.policy", "read,write"; |
| permission javax.security.auth.AuthPermission "getLoginConfiguration"; |
| permission javax.security.auth.AuthPermission "setLoginConfiguration"; |
| }; |
| |
| |
| // The first policy block is extremely loose, and unsuited for public-facing wikis. |
| // Anonymous users are allowed to view, create, edit and comment on all pages |
| // (except group pages). Anonymous users can also register with the wiki; |
| // to edit their profile after registration, they must log in. |
| // |
| // Note: For Internet-facing wikis, you are strongly advised to remove the |
| // lines containing the "edit" and "createPages" permissions; this will make |
| // the wiki read-only for anonymous users. |
| |
| grant signedBy "jspwiki", |
| principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" { |
| permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view"; |
| permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; |
| }; |
| |
| |
| // This next policy block is also pretty loose. It allows users who claim to |
| // be someone (via their cookie) to view, create, edit and comment on all pages |
| // (except group pages). Anonymous users can also register with the wiki; |
| // to edit their profile after registration, they must log in. |
| |
| grant signedBy "jspwiki", |
| principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" { |
| permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit"; |
| permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; |
| }; |
| |
| |
| // Authenticated users can do most things: view, create, edit and |
| // comment on all pages; upload files to existing ones; create and edit |
| // wiki groups; and rename existing pages. Authenticated users can register |
| // with the wiki, edit their own profiles, and edit groups they create. |
| |
| grant signedBy "jspwiki", |
| principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" { |
| permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename"; |
| permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; |
| permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; |
| permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; |
| }; |
| |
| |
| // Administrators (principals or roles possessing AllPermission) |
| // are allowed to delete any page, and can edit, rename and delete |
| // groups. You should match the permission target (here, 'JSPWiki') |
| // with the value of the 'jspwiki.applicationName' property in |
| // jspwiki.properties. Two administative groups are set up below: |
| // the wiki group "Admin" (stored by default in wiki page GroupAdmin) |
| // and the container role "Admin" (managed by the web container). |
| |
| grant signedBy "jspwiki", |
| principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" { |
| permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki"; |
| }; |
| grant signedBy "jspwiki", |
| principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" { |
| permission com.ecyrd.jspwiki.auth.permissions.AllPermission "JSPWiki"; |
| }; |