use of jenkins.security.AuthenticationSuccessHandler in project jenkins by jenkinsci.
the class SecurityRealm method createFilter.
/**
* Creates {@link Filter} that all the incoming HTTP requests will go through
* for authentication.
*
* <p>
* The default implementation uses {@link #getSecurityComponents()} and builds
* a standard filter chain.
* But subclasses can override this to completely change the filter sequence.
*
* <p>
* For other plugins that want to contribute {@link Filter}, see
* {@link PluginServletFilter}.
*
* @since 1.271
*/
public Filter createFilter(FilterConfig filterConfig) {
LOGGER.entering(SecurityRealm.class.getName(), "createFilter");
SecurityComponents sc = getSecurityComponents();
List<Filter> filters = new ArrayList<>();
{
HttpSessionSecurityContextRepository httpSessionSecurityContextRepository = new HttpSessionSecurityContextRepository();
httpSessionSecurityContextRepository.setAllowSessionCreation(false);
filters.add(new HttpSessionContextIntegrationFilter2(httpSessionSecurityContextRepository));
}
{
// if any "Authorization: Basic xxx:yyy" is sent this is the filter that processes it
BasicHeaderProcessor bhp = new BasicHeaderProcessor();
// if basic authentication fails (which only happens incorrect basic auth credential is sent),
// respond with 401 with basic auth request, instead of redirecting the user to the login page,
// since users of basic auth tends to be a program and won't see the redirection to the form
// page as a failure
BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
basicAuthenticationEntryPoint.setRealmName("Jenkins");
bhp.setAuthenticationEntryPoint(basicAuthenticationEntryPoint);
bhp.setRememberMeServices(sc.rememberMe2);
filters.add(bhp);
}
{
AuthenticationProcessingFilter2 apf = new AuthenticationProcessingFilter2(getAuthenticationGatewayUrl());
apf.setAuthenticationManager(sc.manager2);
if (SystemProperties.getInteger(SecurityRealm.class.getName() + ".sessionFixationProtectionMode", 1) == 1) {
// By default, use the 'canonical' protection from Spring Security; see AuthenticationProcessingFilter2#successfulAuthentication for alternative
apf.setSessionAuthenticationStrategy(new SessionFixationProtectionStrategy());
}
apf.setRememberMeServices(sc.rememberMe2);
final AuthenticationSuccessHandler successHandler = new AuthenticationSuccessHandler();
successHandler.setTargetUrlParameter("from");
apf.setAuthenticationSuccessHandler(successHandler);
apf.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler("/loginError"));
filters.add(apf);
}
filters.add(new RememberMeAuthenticationFilter(sc.manager2, sc.rememberMe2));
filters.addAll(commonFilters());
return new ChainedServletFilter(filters);
}
Aggregations