注: 如果不加说明, 引用的资料都来自于 JSPWiki 源码中的注释; 文中的源码均来自于 JSPWiki v2.4.71 的源代码包.
我们首先介绍它的权限系统, 最后再介绍如何使用.
一. 权限系统介绍
JSPWiki 有下列的一些权限相关的类:
com.ecyrd.jspwiki.auth.authorize.Role 中定义了一些内置的 principal, 这些 principal 有:
Principal Name | Principal Explanation |
All | All users, regardless of authentication status |
Anonymous | If the user hasn't supplied a name |
Asserted | If the user has supplied a cookie with a username |
Authenticated | If the user has authenticated with the Container or UserDatabase |
Admin | Administrators (principals or roles possessing AllPermission) are allowed to delete any page, and can edit, rename and delete groups. You should match the permission target (here, 'JSPWiki') with the value of the 'jspwiki.applicationName' property in jspwiki.properties. Two administative groups are set up below: the wiki group "Admin" (stored by default in wiki page GroupAdmin) and the container role "Admin" (managed by the web container). |
在 com.ecyrd.jspwiki.auth.GroupPrincipal 中定义了基于 Group 的角色, 这些角色有如下限制:
* <li>Groups cannot have the same name as a built-in Role (e.g., "Admin",
* "Authenticated" etc.)</li>
* <li>Groups cannot have the same name as an existing user</li>
. 不能和内置角色重名, 不能和现有的用户名一样.
在 com.ecyrd.jspwiki.auth.permissions 包下面定义了如下所示的一些 Wiki 的权限:
com.ecyrd.jspwiki.auth.permissions.PagePermission 页面权限
Permission to perform an operation on a single page or collection of pages in a given wiki. Permission actions include: view
, edit
(edit the text of a wiki page), comment
, upload
, modify
(edit text and upload attachments), delete
and rename
.
The target of a permission is a single page or collection in a given wiki. The syntax for the target is the wiki name, followed by a colon (:) and the name of the page. "All wikis" can be specified using a wildcard (*). Page collections may also be specified using a wildcard. For pages, the wildcard may be a prefix, suffix, or all by itself. Examples of targets include:
*:*
*:JanneJalkanen
*:Jalkanen
*:Janne*
mywiki:JanneJalkanen
mywiki:*Jalkanen
mywiki:Janne*
For a given target, certain permissions imply others:
delete
andrename
implymodify
modify
impliesedit
andupload
edit
impliescomment
andview
comment
andupload
implyview
Targets that do not include a wiki prefixneverimply others.
com.ecyrd.jspwiki.auth.permissions.WikiPermission Wiki 权限
Permission to perform an global wiki operation, such as self-registering or creating new pages. Permission actions include: createGroups
, createPages
, editPreferences
, editProfile
and login
.
The target is a given wiki. The syntax for the target is the wiki name. "All wikis" can be specified using a wildcard (*). Page collections may also be specified using a wildcard. For pages, the wildcard may be a prefix, suffix, or all by itself.
Certain permissions imply others. Currently,createGroups
impliescreatePages
.
createGroups
,
createPages
,
editPreferences
,
editProfile
和
login
.
com.ecyrd.jspwiki.auth.permissions.GroupPermission 组权限
Permission to perform an operation on a group in a given wiki. Permission actions include: view
, edit
, delete
.
The target of a permission is a single group or collection in a given wiki. The syntax for the target is the wiki name, followed by a colon (:) and the name of the group. "All wikis" can be specified using a wildcard (*). Group collections may also be specified using a wildcard. For groups, the wildcard may be a prefix, suffix, or all by itself. Examples of targets include:
*:*
*:TestPlanners
*:*Planners
*:Test*
mywiki:TestPlanners
mywiki:*Planners
mywiki:Test*
For a given target, certain permissions imply others:
edit
impliesview
delete
impliesedit
andview
Targets that do not include a wiki prefix never imply others.
GroupPermission accepts a special target called <groupmember>
that means "all groups that a user is a member of." When included in a policy file grant
block, it functions like a wildcard. Thus, this block:
grant signedBy "jspwiki",means, "allow Authenticated users to edit any groups they are members of." The wildcard target (*) does not imply
principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
<groupmember>
; it must be granted explicitly.
这个权限一般来说只对管理员进行开放, 用来对用户分组, 注意每个 Group 的名称也对应着一个安全角色, 这样便于为多个用户指定一个权限.
com.ecyrd.jspwiki.auth.permissions.AllPermission 所有权限
Permission to perform all operations on a given wiki.
警告: 这个权限很危险, 一般来说只对管理员开放.
用户可以通过访问 http://localhost:8080/wiki/admin/SecurityConfig.jsp 来查看自己的详细的权限表(全局级别, 不包含页面级别, 详细的信息请将鼠标指针悬停在单元格上方片刻后查看提示信息):
The colors in each cell show the results of the test. Green means success; red means failure. Hovering over a role name or individual cell will display more detailed information about the role or test.
PagePermission "JSPWiki:Main" | ||||||||||||||||||||||||||||||
PagePermission "JSPWiki:Index" | ||||||||||||||||||||||||||||||
PagePermission "JSPWiki:GroupTest" | ||||||||||||||||||||||||||||||
PagePermission "JSPWiki:GroupAdmin" | ||||||||||||||||||||||||||||||
GroupPermission "JSPWiki:Admin" | ||||||||||||||||||||||||||||||
GroupPermission "JSPWiki:TestGroup" | ||||||||||||||||||||||||||||||
GroupPermission "JSPWiki:Foo" | ||||||||||||||||||||||||||||||
WikiPermission "JSPWiki","createGroups" | ||||||||||||||||||||||||||||||
WikiPermission "JSPWiki","createPages" | ||||||||||||||||||||||||||||||
WikiPermission "JSPWiki","login" | ||||||||||||||||||||||||||||||
WikiPermission "JSPWiki","editPreferences" | ||||||||||||||||||||||||||||||
WikiPermission "JSPWiki","editProfile" | ||||||||||||||||||||||||||||||
AllPermission "JSPWiki" |
这个表中显示的红色的部分就是当前用户所没有的权限.
二. 权限系统使用
如上所示, Admin 的账户可以通过两个途径来建立:
方式1: 建立一个名为 Admin 的 Group, 在这个版本中是保存在文件 WEB-INF\groupdatabase.xml 文件中, 可以手工