理解并使用 JSPWiki 中的权限控制
by Jacky Liu ([email protected]) version 1.0 2007.01.06
JSPWiki(http://www.jspwiki.org/) 是一款简单易用的基于 JSP + Servelt + JavaBean 的不依赖于其它 J2EE 框架的 Wiki 系统, 它本身的存储基于文件系统, 只需要 Tomcat 即可运行, 代码也比较便于读懂并加以改进. 虽然说是简单易用, 但是因为其后台管理系统的功能不够强大, 所以在公司内部使用时仍旧遇到了一些权限控制的问题. 本文将基于JSPWiki v2.4.71 来讨论 JSPWiki的权限管理.

注: 如果不加说明, 引用的资料都来自于 JSPWiki 源码中的注释; 文中的源码均来自于 JSPWiki v2.4.71 的源代码包.

我们首先介绍它的权限系统, 最后再介绍如何使用.

一. 权限系统介绍

JSPWiki 有下列的一些权限相关的类:
com.ecyrd.jspwiki.auth.authorize.Role 中定义了一些内置的 principal, 这些 principal 有:
Principal Name Principal Explanation
All All users, regardless of authentication status
Anonymous If the user hasn't supplied a name
Asserted If the user has supplied a cookie with a username
Authenticated If the user has authenticated with the Container or UserDatabase
Admin Administrators (principals or roles possessing AllPermission)
are allowed to delete any page, and can edit, rename and delete
groups. You should match the permission target (here, 'JSPWiki')
with the value of the 'jspwiki.applicationName' property in
jspwiki.properties. Two administative groups are set up below:
the wiki group "Admin" (stored by default in wiki page GroupAdmin)
and the container role "Admin" (managed by the web container).

在 com.ecyrd.jspwiki.auth.GroupPrincipal 中定义了基于 Group 的角色, 这些角色有如下限制:
  • Groups cannot have the same name as a built-in Role (e.g., "Admin",
    * "Authenticated" etc.)

  • *
  • Groups cannot have the same name as an existing user

  • . 不能和内置角色重名, 不能和现有的用户名一样.

    在 com.ecyrd.jspwiki.auth.permissions 包下面定义了如下所示的一些 Wiki 的权限:
    com.ecyrd.jspwiki.auth.permissions.PagePermission 页面权限
    Permission to perform an operation on a single page or collection of pages in a given wiki. Permission actions include: view, edit (edit the text of a wiki page), comment, upload, modify (edit text and upload attachments), delete and rename.

    The target of a permission is a single page or collection in a given wiki. The syntax for the target is the wiki name, followed by a colon (:) and the name of the page. "All wikis" can be specified using a wildcard (*). Page collections may also be specified using a wildcard. For pages, the wildcard may be a prefix, suffix, or all by itself. Examples of targets include:


    For a given target, certain permissions imply others:

    • delete and rename imply modify
    • modify implies edit and upload
    • edit implies comment and view
    • commentanduploadimplyviewTargets that do not include a wiki prefixneverimply others.
    这个权限是我们最常使用的权限, 限定了用户可以对页面进行哪些操作, 可以使用的权限包括: *, comment, delete, edit, modify, rename, upload, view.

    com.ecyrd.jspwiki.auth.permissions.WikiPermission Wiki 权限

    Permission to perform an global wiki operation, such as self-registering or creating new pages. Permission actions include: createGroups, createPages, editPreferences, editProfile and login.

    The target is a given wiki. The syntax for the target is the wiki name. "All wikis" can be specified using a wildcard (*). Page collections may also be specified using a wildcard. For pages, the wildcard may be a prefix, suffix, or all by itself.

    Certain permissions imply others. Currently,createGroupsimpliescreatePages.

    这个权限则定义了用户登录, 注册, 建立新页面是否可用, 也是比较常用的. 包括: createGroups, createPages, editPreferences, editProfilelogin.

    com.ecyrd.jspwiki.auth.permissions.GroupPermission 组权限

    Permission to perform an operation on a group in a given wiki. Permission actions include: view, edit, delete.

    The target of a permission is a single group or collection in a given wiki. The syntax for the target is the wiki name, followed by a colon (:) and the name of the group. "All wikis" can be specified using a wildcard (*). Group collections may also be specified using a wildcard. For groups, the wildcard may be a prefix, suffix, or all by itself. Examples of targets include:


    For a given target, certain permissions imply others:

    • edit implies view
    • delete implies edit and view

    Targets that do not include a wiki prefix never imply others.

    GroupPermission accepts a special target called that means "all groups that a user is a member of." When included in a policy file grant block, it functions like a wildcard. Thus, this block:

      grant signedBy "jspwiki", 
    principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:", "edit";
    means, "allow Authenticated users to edit any groups they are members of." The wildcard target (*) does not imply ; it must be granted explicitly.

    这个权限一般来说只对管理员进行开放, 用来对用户分组, 注意每个 Group 的名称也对应着一个安全角色, 这样便于为多个用户指定一个权限.
    com.ecyrd.jspwiki.auth.permissions.AllPermission 所有权限
    Permission to perform all operations on a given wiki.
    警告: 这个权限很危险, 一般来说只对管理员开放.

    用户可以通过访问 http://localhost:8080/wiki/admin/SecurityConfig.jsp 来查看自己的详细的权限表(全局级别, 不包含页面级别, 详细的信息请将鼠标指针悬停在单元格上方片刻后查看提示信息):

    The colors in each cell show the results of the test. Green means success; red means failure. Hovering over a role name or individual cell will display more detailed information about the role or test.

    Permission All Anonymous Asserted Authenticated Admin Admin v e m r d v e m r d v e m r d v e m r d v e m r d v e m r d
    PagePermission "JSPWiki:Main"                                                            
    PagePermission "JSPWiki:Index"                                                            
    PagePermission "JSPWiki:GroupTest"                                                            
    PagePermission "JSPWiki:GroupAdmin"                                                            
    GroupPermission "JSPWiki:Admin"                                                            
    GroupPermission "JSPWiki:TestGroup"                                                            
    GroupPermission "JSPWiki:Foo"                                                            
    WikiPermission "JSPWiki","createGroups"            
    WikiPermission "JSPWiki","createPages"            
    WikiPermission "JSPWiki","login"            
    WikiPermission "JSPWiki","editPreferences"            
    WikiPermission "JSPWiki","editProfile"            
    AllPermission "JSPWiki"            
    Important: these tests do not take into account any page-level access control lists. Page ACLs, if they exist, will contrain access further than what is shown in the table.


    二. 权限系统使用

    如上所示, Admin 的账户可以通过两个途径来建立:
    方式1: 建立一个名为 Admin 的 Group, 在这个版本中是保存在文件 WEB-INF\groupdatabase.xml 文件中, 可以手工
