Search in sources :

Example 1 with BasicHeaderProcessor

use of jenkins.security.BasicHeaderProcessor in project jenkins by jenkinsci.

the class SecurityRealm method createFilter.

/**
 * Creates {@link Filter} that all the incoming HTTP requests will go through
 * for authentication.
 *
 * <p>
 * The default implementation uses {@link #getSecurityComponents()} and builds
 * a standard filter chain.
 * But subclasses can override this to completely change the filter sequence.
 *
 * <p>
 * For other plugins that want to contribute {@link Filter}, see
 * {@link PluginServletFilter}.
 *
 * @since 1.271
 */
public Filter createFilter(FilterConfig filterConfig) {
    LOGGER.entering(SecurityRealm.class.getName(), "createFilter");
    SecurityComponents sc = getSecurityComponents();
    List<Filter> filters = new ArrayList<>();
    {
        HttpSessionSecurityContextRepository httpSessionSecurityContextRepository = new HttpSessionSecurityContextRepository();
        httpSessionSecurityContextRepository.setAllowSessionCreation(false);
        filters.add(new HttpSessionContextIntegrationFilter2(httpSessionSecurityContextRepository));
    }
    {
        // if any "Authorization: Basic xxx:yyy" is sent this is the filter that processes it
        BasicHeaderProcessor bhp = new BasicHeaderProcessor();
        // if basic authentication fails (which only happens incorrect basic auth credential is sent),
        // respond with 401 with basic auth request, instead of redirecting the user to the login page,
        // since users of basic auth tends to be a program and won't see the redirection to the form
        // page as a failure
        BasicAuthenticationEntryPoint basicAuthenticationEntryPoint = new BasicAuthenticationEntryPoint();
        basicAuthenticationEntryPoint.setRealmName("Jenkins");
        bhp.setAuthenticationEntryPoint(basicAuthenticationEntryPoint);
        bhp.setRememberMeServices(sc.rememberMe2);
        filters.add(bhp);
    }
    {
        AuthenticationProcessingFilter2 apf = new AuthenticationProcessingFilter2(getAuthenticationGatewayUrl());
        apf.setAuthenticationManager(sc.manager2);
        if (SystemProperties.getInteger(SecurityRealm.class.getName() + ".sessionFixationProtectionMode", 1) == 1) {
            // By default, use the 'canonical' protection from Spring Security; see AuthenticationProcessingFilter2#successfulAuthentication for alternative
            apf.setSessionAuthenticationStrategy(new SessionFixationProtectionStrategy());
        }
        apf.setRememberMeServices(sc.rememberMe2);
        final AuthenticationSuccessHandler successHandler = new AuthenticationSuccessHandler();
        successHandler.setTargetUrlParameter("from");
        apf.setAuthenticationSuccessHandler(successHandler);
        apf.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler("/loginError"));
        filters.add(apf);
    }
    filters.add(new RememberMeAuthenticationFilter(sc.manager2, sc.rememberMe2));
    filters.addAll(commonFilters());
    return new ChainedServletFilter(filters);
}
Also used : AuthenticationSuccessHandler(jenkins.security.AuthenticationSuccessHandler) RememberMeAuthenticationFilter(org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter) ArrayList(java.util.ArrayList) BasicHeaderProcessor(jenkins.security.BasicHeaderProcessor) BasicAuthenticationEntryPoint(org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint) HttpSessionSecurityContextRepository(org.springframework.security.web.context.HttpSessionSecurityContextRepository) Filter(javax.servlet.Filter) AcegiSecurityExceptionFilter(jenkins.security.AcegiSecurityExceptionFilter) RememberMeAuthenticationFilter(org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter) ExceptionTranslationFilter(org.springframework.security.web.access.ExceptionTranslationFilter) PluginServletFilter(hudson.util.PluginServletFilter) AnonymousAuthenticationFilter(org.springframework.security.web.authentication.AnonymousAuthenticationFilter) SessionFixationProtectionStrategy(org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy) SimpleUrlAuthenticationFailureHandler(org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler)

Aggregations

PluginServletFilter (hudson.util.PluginServletFilter)1 ArrayList (java.util.ArrayList)1 Filter (javax.servlet.Filter)1 AcegiSecurityExceptionFilter (jenkins.security.AcegiSecurityExceptionFilter)1 AuthenticationSuccessHandler (jenkins.security.AuthenticationSuccessHandler)1 BasicHeaderProcessor (jenkins.security.BasicHeaderProcessor)1 ExceptionTranslationFilter (org.springframework.security.web.access.ExceptionTranslationFilter)1 AnonymousAuthenticationFilter (org.springframework.security.web.authentication.AnonymousAuthenticationFilter)1 SimpleUrlAuthenticationFailureHandler (org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler)1 RememberMeAuthenticationFilter (org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter)1 SessionFixationProtectionStrategy (org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy)1 BasicAuthenticationEntryPoint (org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint)1 HttpSessionSecurityContextRepository (org.springframework.security.web.context.HttpSessionSecurityContextRepository)1