Class BasicAuthenticationFilter

  • All Implemented Interfaces:
    javax.servlet.Filter

    public class BasicAuthenticationFilter
    extends Object
    implements javax.servlet.Filter
    Implements the dual authentication mechanism.

    Jenkins supports both the HTTP basic authentication and the form-based authentication. The former is for scripted clients, and the latter is for humans. Unfortunately, because the servlet spec does not allow us to programmatically authenticate users, we need to rely on some hack to make it work, and this is the class that implements that hack.

    When an HTTP request arrives with an HTTP basic auth header, this filter detects that and emulate an invocation of /j_security_check (see this page for the original technique.)

    This causes the container to perform authentication, but there's no way to find out whether the user has been successfully authenticated or not. So to find this out, we then redirect the user to /secured/... page.

    The handler of the above URL checks if the user is authenticated, and if not report an HTTP error code. Otherwise the user is redirected back to the original URL, where the request is served.

    So all in all, the redirection works like /abc/def/secured/abc/def/abc/def.

    Notes

    • The technique of getting a request dispatcher for /j_security_check may not work for all containers, but so far that seems like the only way to make this work.
    • This A → B → A redirect is a cyclic redirection, so we need to watch out for clients that detect this as an error.
    Author:
    Kohsuke Kawaguchi
    • Constructor Detail

      • BasicAuthenticationFilter

        public BasicAuthenticationFilter()
    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig filterConfig)
                  throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
        Throws:
        javax.servlet.ServletException
      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                             javax.servlet.ServletResponse response,
                             javax.servlet.FilterChain chain)
                      throws IOException,
                             javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        IOException
        javax.servlet.ServletException
      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter