Package jenkins.security
Class BasicHeaderProcessor
- java.lang.Object
-
- jenkins.security.BasicHeaderProcessor
-
- All Implemented Interfaces:
javax.servlet.Filter
- Direct Known Subclasses:
ApiTokenFilter
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public class BasicHeaderProcessor extends Object implements javax.servlet.Filter
Takes "username:password" given in theAuthorizationHTTP header and authenticates the request.Implementations of
BasicHeaderAuthenticatorincludes one that accepts the real password, then one that checks the user's API token. We call them all from a single Filter like this, as opposed to using a list ofFilters, so that multiple filters don't end up trying to authenticate the same header differently and fail.- Author:
- Kohsuke Kawaguchi
-
-
Constructor Summary
Constructors Constructor Description BasicHeaderProcessor()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected List<? extends BasicHeaderAuthenticator>all()protected booleanauthenticationIsRequired(String username)If the request is already authenticated to the same user that the Authorization header claims, for example through the HTTP session, then there's no need to re-authenticate the Authorization header, so we skip that.voiddestroy()voiddoFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)protected voidfail(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, org.springframework.security.authentication.BadCredentialsException failure)voidinit(javax.servlet.FilterConfig filterConfig)voidsetAuthenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint)voidsetRememberMeServices(org.springframework.security.web.authentication.RememberMeServices rememberMeServices)protected voidsuccess(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication auth)
-
-
-
Method Detail
-
init
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException- Specified by:
initin interfacejavax.servlet.Filter- Throws:
javax.servlet.ServletException
-
setAuthenticationEntryPoint
public void setAuthenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint)
-
setRememberMeServices
public void setRememberMeServices(org.springframework.security.web.authentication.RememberMeServices rememberMeServices)
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException- Specified by:
doFilterin interfacejavax.servlet.Filter- Throws:
IOExceptionjavax.servlet.ServletException
-
authenticationIsRequired
protected boolean authenticationIsRequired(String username)
If the request is already authenticated to the same user that the Authorization header claims, for example through the HTTP session, then there's no need to re-authenticate the Authorization header, so we skip that. This avoids stressingSecurityRealm. This method returns false if we can take this short-cut.
-
success
protected void success(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication auth) throws IOException, javax.servlet.ServletException- Throws:
IOExceptionjavax.servlet.ServletException
-
fail
protected void fail(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, org.springframework.security.authentication.BadCredentialsException failure) throws IOException, javax.servlet.ServletException- Throws:
IOExceptionjavax.servlet.ServletException
-
all
protected List<? extends BasicHeaderAuthenticator> all()
-
destroy
public void destroy()
- Specified by:
destroyin interfacejavax.servlet.Filter
-
-