Hi Gary, inside JSPWiki, Attachments are considered a special type of Pages, so the same policy rules & syntax should apply. In this case, the following permission inside the anonymous role block should be enough:
permission org.apache.wiki.auth.permissions.PagePermission "*:LeftMenu/mylogo.png", "view"; Also, LeftMenu usually is a page that should be shown to all users, so the following permission, also inside the anonymous role block, should also do the trick and allow anonymous view on both Page and Attachment: permission org.apache.wiki.auth.permissions.PagePermission "*:LeftMenu", "view"; HTH, juan pablo On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <gary_keph...@pobox.com> wrote: > I have a site that I've set up as read-only except for users who are in > a particular group. For the most part, that works well. What doesn't > seem to work is showing the site logo to users who are not logged in. > When I try to directly access > http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get the > Forbidden page, where it mentions "It is also possible that JSPWiki > cannot find its security policy, or that the policy is not configured > correctly. Either of these cases would cause JSPWiki to block access, too." > > Is attachment policy different than page policy? Do you have to be able > to modify a page in order to view an attachment? What do I need to do to > fix this? I've read > https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and > don't see anything there that addresses this specifically. > > Thanks, > Gary >
