> seems to require all roles/groups to be defined in the web.xml of jspwiki
That is a requirement of jee/jakarta. I wouldn't mess with the group names, see https://issues.apache.org/jira/browse/JSPWIKI-1176 Also I doubt that there are other group names possible. I believe the DefaultAuthorizationManager parses web.xml and jspwiki.policy If you look at DefaultAuthorizationManager you might write and publish a documentation. Am So., 1. Juni 2025 um 17:10 Uhr schrieb Alex O'Ree <[email protected]>: > > Greetings, > > I'm running into an issue whereby i want to restrict access to a specific > jsp wiki page with something like > [{ALLOW read LdapGroup1}] > where by the user role LdapGroup1 is tomcat managed and backed by an > LDAP/active directory setup. > > What i'm noticing is that JSP seems to require all roles/groups to be > defined in the web.xml of jspwiki. That's not really feasible in my case > whereby we want to give sysadmins flexibility to declare what they > need/want and have it just work in the wiki. > > I think i've narrowed this down to how the default authorization manager > works. > > Question1: is there any built in solutions for this scenario or should i > extend DefaultAuthorizationManager and rig up my own desired logic? > > Question 2: is there a syntax for authorization that is something like, > allow users who are in group1 AND group2? ie require membership/role in > more than one role, if they don't have group1 and group2, access denied
