Class HudsonPrivateSecurityRealm

All Implemented Interfaces:
ExtensionPoint, Describable<SecurityRealm>, ModelObject, AccessControlled

public class HudsonPrivateSecurityRealm extends AbstractPasswordBasedSecurityRealm implements ModelObject, AccessControlled
SecurityRealm that performs authentication by looking up User.

Implements AccessControlled to satisfy view rendering, but in reality the access control is done against the Jenkins object.

Author:
Kohsuke Kawaguchi
  • Field Details

    • PASSWORD_ENCODER

      public static final hudson.security.HudsonPrivateSecurityRealm.MultiPasswordEncoder PASSWORD_ENCODER
  • Constructor Details

    • HudsonPrivateSecurityRealm

      @Deprecated public HudsonPrivateSecurityRealm(boolean allowsSignup)
      Deprecated.
    • HudsonPrivateSecurityRealm

      @DataBoundConstructor public HudsonPrivateSecurityRealm(boolean allowsSignup, boolean enableCaptcha, CaptchaSupport captchaSupport)
  • Method Details

    • allowsSignup

      public boolean allowsSignup()
      Description copied from class: SecurityRealm
      Returns true if this SecurityRealm allows online sign-up. This creates a hyperlink that redirects users to CONTEXT_ROOT/signUp, which will be served by the signup.jelly view of this class.

      If the implementation needs to redirect the user to a different URL for signing up, use the following jelly script as signup.jelly

      <xmp>
       <st:redirect url="http://www.sun.com/" xmlns:st="jelly:stapler"/>
       </xmp>
      Overrides:
      allowsSignup in class SecurityRealm
    • getAllowsSignup

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public boolean getAllowsSignup()
    • isEnableCaptcha

      public boolean isEnableCaptcha()
      Checks if captcha is enabled on user signup.
      Returns:
      true if captcha is enabled on signup.
    • loadGroupByGroupname2

      public GroupDetails loadGroupByGroupname2(String groupname, boolean fetchMembers) throws org.springframework.security.core.userdetails.UsernameNotFoundException
      This implementation doesn't support groups.
      Overrides:
      loadGroupByGroupname2 in class AbstractPasswordBasedSecurityRealm
      Parameters:
      groupname - the name of the group to fetch
      fetchMembers - if true then try and fetch the members of the group if it exists. Trying does not imply that the members will be fetched and GroupDetails.getMembers() may still return null
      Throws:
      UserMayOrMayNotExistException2 - if no conclusive result could be determined regarding the group existence.
      org.springframework.security.core.userdetails.UsernameNotFoundException - if the group does not exist.
    • loadUserByUsername2

      public org.springframework.security.core.userdetails.UserDetails loadUserByUsername2(String username) throws org.springframework.security.core.userdetails.UsernameNotFoundException
      Description copied from class: AbstractPasswordBasedSecurityRealm
      Retrieves information about an user by its name.

      This method is used, for example, to validate if the given token is a valid user name when the user is configuring an ACL. This is an optional method that improves the user experience. If your backend doesn't support a query like this, just always throw UsernameNotFoundException.

      Overrides:
      loadUserByUsername2 in class AbstractPasswordBasedSecurityRealm
      Returns:
      never null.
      Throws:
      UserMayOrMayNotExistException2 - If the security realm cannot even tell if the user exists or not.
      org.springframework.security.core.userdetails.UsernameNotFoundException
    • load

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public HudsonPrivateSecurityRealm.Details load(String username) throws org.springframework.security.core.userdetails.UsernameNotFoundException
      Throws:
      org.springframework.security.core.userdetails.UsernameNotFoundException
    • authenticate2

      protected org.springframework.security.core.userdetails.UserDetails authenticate2(String username, String password) throws org.springframework.security.core.AuthenticationException
      Description copied from class: AbstractPasswordBasedSecurityRealm
      Authenticate a login attempt. This method is the heart of a AbstractPasswordBasedSecurityRealm.

      If the user name and the password pair matches, retrieve the information about this user and return it as a UserDetails object. User is a convenient implementation to use, but if your backend offers additional data, you may want to use your own subtype so that the rest of Hudson can use those additional information (such as e-mail address --- see MailAddressResolver.)

      Properties like UserDetails.getPassword() make no sense, so just return an empty value from it. The only information that you need to pay real attention is UserDetails.getAuthorities(), which is a list of roles/groups that the user is in. At minimum, this must contain SecurityRealm.AUTHENTICATED_AUTHORITY (which indicates that this user is authenticated and not anonymous), but if your backend supports a notion of groups, you should make sure that the authorities contain one entry per one group. This enables users to control authorization based on groups.

      If the user name and the password pair doesn't match, throw AuthenticationException to reject the login attempt.

      Overrides:
      authenticate2 in class AbstractPasswordBasedSecurityRealm
      Throws:
      org.springframework.security.core.AuthenticationException
    • commenceSignup

      public org.kohsuke.stapler.HttpResponse commenceSignup(FederatedLoginService.FederatedIdentity identity)
      Show the sign up page with the data from the identity.
      Overrides:
      commenceSignup in class SecurityRealm
    • doCreateAccountWithFederatedIdentity

      public User doCreateAccountWithFederatedIdentity(org.kohsuke.stapler.StaplerRequest2 req, org.kohsuke.stapler.StaplerResponse2 rsp) throws IOException, jakarta.servlet.ServletException
      Creates an account and associates that with the given identity. Used in conjunction with commenceSignup(hudson.security.FederatedLoginService.FederatedIdentity).
      Throws:
      IOException
      jakarta.servlet.ServletException
    • doCreateAccount

      public User doCreateAccount(org.kohsuke.stapler.StaplerRequest2 req, org.kohsuke.stapler.StaplerResponse2 rsp) throws IOException, jakarta.servlet.ServletException
      Creates an user account. Used for self-registration.
      Throws:
      IOException
      jakarta.servlet.ServletException
    • doCreateAccountByAdmin

      public void doCreateAccountByAdmin(org.kohsuke.stapler.StaplerRequest2 req, org.kohsuke.stapler.StaplerResponse2 rsp) throws IOException, jakarta.servlet.ServletException
      Creates a user account. Used by admins. This version behaves differently from doCreateAccount(StaplerRequest2, StaplerResponse2) in that this is someone creating another user.
      Throws:
      IOException
      jakarta.servlet.ServletException
    • createAccountByAdmin

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public User createAccountByAdmin(org.kohsuke.stapler.StaplerRequest2 req, org.kohsuke.stapler.StaplerResponse2 rsp, String addUserView, String successView) throws IOException, jakarta.servlet.ServletException
      Creates a user account. Requires Jenkins.ADMINISTER
      Throws:
      IOException
      jakarta.servlet.ServletException
    • createAccountFromSetupWizard

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public User createAccountFromSetupWizard(org.kohsuke.stapler.StaplerRequest2 req) throws IOException, AccountCreationFailedException
      Creates a user account. Intended to be called from the setup wizard. Note that this method does not check whether it is actually called from the setup wizard. This requires the Jenkins.ADMINISTER permission.
      Parameters:
      req - the request to retrieve input data from
      Returns:
      the created user account, never null
      Throws:
      AccountCreationFailedException - if account creation failed due to invalid form input
      IOException
    • doCreateFirstAccount

      public void doCreateFirstAccount(org.kohsuke.stapler.StaplerRequest2 req, org.kohsuke.stapler.StaplerResponse2 rsp) throws IOException, jakarta.servlet.ServletException
      Creates a first admin user account.

      This can be run by anyone, but only to create the very first user account.

      Throws:
      IOException
      jakarta.servlet.ServletException
    • isMailerPluginPresent

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public boolean isMailerPluginPresent()
    • createAccount

      public User createAccount(String userName, String password) throws IOException
      Creates a new user account by registering a password to the user.
      Throws:
      IOException
    • createAccountWithHashedPassword

      public User createAccountWithHashedPassword(String userName, String hashedPassword) throws IOException
      Creates a new user account by registering a Hashed password with the user.
      Parameters:
      userName - The user's name
      hashedPassword - A hashed password, must begin with getPasswordHeader()
      Throws:
      IOException
      See Also:
      • getPasswordHeader()
    • getDisplayName

      public String getDisplayName()
      This is used primarily when the object is listed in the breadcrumb, in the user management screen.
      Specified by:
      getDisplayName in interface ModelObject
    • getACL

      public ACL getACL()
      Description copied from interface: AccessControlled
      Obtains the ACL associated with this object.
      Specified by:
      getACL in interface AccessControlled
      Returns:
      never null.
    • checkPermission

      public void checkPermission(Permission permission)
      Description copied from interface: AccessControlled
      Convenient short-cut for getACL().checkPermission(permission)
      Specified by:
      checkPermission in interface AccessControlled
    • hasPermission

      public boolean hasPermission(Permission permission)
      Description copied from interface: AccessControlled
      Convenient short-cut for getACL().hasPermission(permission)
      Specified by:
      hasPermission in interface AccessControlled
    • getAllUsers

      public List<User> getAllUsers()
      All users who can login to the system.
    • getUser

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public User getUser(String id)
      This is to map users under the security realm URL. This in turn helps us set up the right navigation breadcrumb.