Hello JSPWiki Community,
I am writing to ask for your help with a very stubborn authentication issue
after migrating from JSPWiki 2.8 to JSPWiki 2.12.2.
My Goal: To set up JSPWiki 2.12.2 on Tomcat 9 (running on Amazon Linux 2023)
with authentication against an external LDAP server. A key constraint is that
our LDAP server contains users and passwords only, it does not manage roles or
groups.
What I Have Tried:
1. Container-Managed Security: My first approach was to use container-managed
security in Tomcat. After realizing a simple JNDIRealm wouldn't work, I
configured a CombinedRealm in server.xml. This used an inner JNDIRealm for LDAP
authentication and a UserDatabaseRealm (with tomcat-users.xml) to assign a
default Authenticated role.
*
Result: This almost worked. The user was successfully authenticated against
LDAP, but was then shown the JSPWiki "Forbidden" page. This suggested that the
roles assigned by Tomcat's CombinedRealm were not being correctly recognized by
JSPWiki's WebContainerAuthorizer.
2. Internal JAAS Security (Current Approach): Due to the issues with the
container, I switched to the internal JAAS security model (jspwiki.security =
jaas). I removed all security from server.xml and web.xml and created a
jspwiki.jaas.conf file with a chain of LDAPLoginModule (for authentication) and
DefaultRoleLoginModule (to assign default roles).
The Current Problem: The application seems to be completely ignoring the JAAS
configuration.
*
My server startup script correctly provides the JAAS config path to the JVM via
the system property:
-Djava.security.auth.login.config=/opt/wiki/tomcat/conf/jspwiki.jaas.conf
*
My jspwiki.properties file correctly specifies:
*
jspwiki.security = jaas
*
jspwiki.jaas.app-name = JSPWiki
*
However, when I attempt to log in, the jspwiki.log file shows no attempts to
use the LDAPLoginModule or DefaultRoleLoginModule. Instead, it only shows the
default AnonymousLoginModule being used, and the user is logged in as a guest.
*
This also causes the jspwiki.defaultAcl = -(ANONYMOUS):view property to be
ignored, leaving the entire wiki publicly visible.
We have already verified with ldapsearch that all LDAP connection parameters
are correct. We have also confirmed that JSPWiki is correctly reading its main
data directories (like pageDir and workDir) which are also forced via system
properties.
My Question: Why would JSPWiki 2.12.2 completely ignore the JAAS configuration
provided via the standard -Djava.security.auth.login.config system property and
fall back to its default, un-authenticated login modules? Is this a known
issue, or is there a configuration step for JAAS that I am missing?
I am happy to provide my full, final configuration files (server.xml, web.xml,
jspwiki.properties, jspwiki.jaas.conf, jspwiki.policy, and logs) upon request.
Thank you for your time and any help you can provide.
Best regards,
Lorenzo Sparacca
Saluti,
Lorenzo Sparacca
System Admin | Armundia Group
www.armundiagroup.com<http://armundiagroup.com/>
[cid:2af1a150-196c-401a-9bb7-634a0819cfcb]<http://www.armundia.com/>
