To secure a KnowWE(JSPWiki) installation, you have to edit two files:
jspwiki.properties:
at the very bottom uncomment the line jspwiki.approver.workflow.saveWikiPage=Admin to enable the forced approval of new user accounts by an admin. (Make sure there is an 'Admin' group)
make sure the option allowHTML is set to false
jspwiki.policiy: comment the permissions of 'Anonymous' to disable anonymous editing
before:
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
};
after:
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
// permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify";
// permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
};
Install.jsp: Make sure that the Install.jsp is deleted from the root folder of the web application.
After that, restart the container and the wiki is secure.