| Hi everybody--- |
| |
| An experimental JSPWiki branch with the new AAA subsystem is nearing alpha status. |
| |
| Background |
| ---------- |
| Less than 60 days ago, a bunch of us in this fine list bashed out a set of requirements for a new system for authenticating and authorizing users. Although there are too many requirements to list here, some of the primary features include: |
| - Continued support for JSPWiki's custom authentication system |
| - Full support for container-based authentication and authorization, including container-style roles |
| - Flexible, ad hoc "groups" |
| - Wiki-based ACLs |
| - Customizable security policies, with simple and sensible defaults |
| - New user database for "persistent" user identities |
| - Support for standard Java security technologies; notably, J2SE security policies and JAAS authentication |
| |
| Development needs |
| ----------------- |
| I need help getting the preceding list of requirements implemented... |
| 2.7 Access restrictions on searches not implemented yet. |
| 2.9 Hard-coded "super user" needs to be re-implemented |
| and coded into AuthenticationManager. |
| 3.3 Groups names are checked at creation time to make |
| sure they aren't the same as a built-in role, but |
| there should be logic in the JSP pages that tells |
| the user they can't do that... |
| 3.8-3.11 Requirements not implemented yet (these are "nice |
| to have" features anyway) |
| 4.10 Page restore operation restores previous |
| ACL, not current ACL |
| 6.9 Password re-set not implemented yet (nice-to-have) |
| 7.1 Embedding permission checks within core wiki classes |
| (e.g., WikiEngine) NOT implemented yet. Examples: |
| - WikiPage.setAcl should check for 'edit' |
| 7.5 Need to sanity-check configuration files (e.g., |
| jspwiki.policy) to ensure they implement a common |
| number of use cases that should "just work." |
| 7.6 No user-facing documentation at the moment... |
| |
| Deployment considerations |
| ------------------------- |
| JSPWiki now installs default JAAS and J2SE security policies |
| at startup. See the jspwiki.policy and jspwiki.jaas files |
| for more details on how to customize these configurations |
| if you don't like the defaults. |
| |
| Bugs, limitations and errata |
| ---------------------------- |
| - Need a CreateGroup.jsp page **badly** |
| - Ant build script (build.xml) now automatically signs |
| the jspwiki.jar file after it builds. It will attempt |
| to create a new .jks key file for you if it can't find |
| one where it expects (etc/). If will also copy this key |
| file to WEB-INF when building the WAR. |
| - There are some funky cookie/user profile issues that persist |
| during logout operations. This could cause funnny |
| things to happen when editing preferences or registering. |
| This will get solved very soon... but not tonight. |
| - Container-managed authentication has been tested |
| and debugged. It works. |
| - User preferences has been split into the traditional |
| "master" JSP with the business logic, and a separate |
| *Content.jsp file. |
| - User registration now lives in a JSP separate from |
| user preferences. The explanation for this is complex, |
| but it boils down to the impossibility of guaranteeing |
| session state (anonymous, asserted, authenticated). |
| Since the UI is subtly different in all of these cases, |
| it made sense to break the two functions apart. |
| - UserCheck and UserProfile tags have significant |
| enhancements that should make template-writing much |
| easier, with a dramatic reduction in scriptlet code. |
| - Changes to the AAA model ***will*** break your |
| custom template's scriptlet code unless you change |
| JSPs to use the new API calls, in particular |
| AuthorizationManager.checkPermission(). A migration guide |
| for template developers would be great! |
| - Container-based authentication has been unit-tested |
| but not system-tested, so it might not work. |
| But it should... |
| - Requirement 1.10 might not be practical. I didn't |
| attempt to implement it. |
| - Groups are implemented as wiki pages named Group* |
| rather than as subpages of GroupConfiguration |
| - UserPreferences.jsp needs a decent stylesheet... |
| |
| Requirements |
| ------------ |