Package org.jenkinsci.plugins.oic
Class OicSecurityRealm
java.lang.Object
hudson.model.AbstractDescribableImpl<SecurityRealm>
hudson.security.SecurityRealm
org.jenkinsci.plugins.oic.OicSecurityRealm
- All Implemented Interfaces:
ExtensionPoint
,Describable<SecurityRealm>
,Serializable
Login with OpenID Connect / OAuth 2
- Author:
- Michael Bischoff, Steve Arch
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic final class
static enum
Nested classes/interfaces inherited from class hudson.security.SecurityRealm
SecurityRealm.SecurityComponents
Nested classes/interfaces inherited from interface hudson.ExtensionPoint
ExtensionPoint.LegacyInstancesAreScopedToHudson
-
Field Summary
Fields inherited from class hudson.security.SecurityRealm
AUTHENTICATED_AUTHORITY, AUTHENTICATED_AUTHORITY2, LIST, NO_AUTHENTICATION
-
Constructor Summary
ConstructorDescriptionOicSecurityRealm
(String clientId, Secret clientSecret, OicServerConfiguration serverConfiguration, Boolean disableSslVerification) -
Method Summary
Modifier and TypeMethodDescriptionprotected org.pac4j.oidc.client.OidcClient
protected boolean
checkEscapeHatch
(String username, String password) protected static io.burt.jmespath.Expression<Object>
compileJMESPath
(String str, String logComment) javax.servlet.Filter
createFilter
(javax.servlet.FilterConfig filterConfig) void
void
doCommenceLogin
(String from, String referer) Handles the the securityRealm/commenceLogin resource and sends the user off to the IdPvoid
doFinishLogin
(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response) This is where the user comes back to at the end of the OpenID redirect ping-pong.void
doLogout
(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp) protected void
filterNonFIPS140CompliantAlgorithms
(com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata oidcProviderMetadata) getPostLogOutUrl2
(org.kohsuke.stapler.StaplerRequest req, org.springframework.security.core.Authentication auth) protected String
getStringField
(Object object, io.burt.jmespath.Expression<Object> fieldExpr) protected String
Validate post-login redirect URL For security reasons, the login must not redirect outside Jenkins realm.boolean
handleTokenExpiration
(javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) Handles Token Expiration.boolean
boolean
boolean
boolean
boolean
isExpired
(OicCredentials credentials) boolean
boolean
boolean
boolean
boolean
boolean
protected Object
void
setAllowedTokenExpirationClockSkewSeconds
(Long allowedTokenExpirationClockSkewSeconds) void
setAllowTokenAccessWithoutOicSession
(boolean allowTokenAccessWithoutOicSession) void
setDisableTokenVerification
(boolean disableTokenVerification) void
setEmailFieldName
(String emailFieldName) void
setEscapeHatchEnabled
(boolean escapeHatchEnabled) void
setEscapeHatchGroup
(String escapeHatchGroup) void
setEscapeHatchSecret
(Secret escapeHatchSecret) void
setEscapeHatchUsername
(String escapeHatchUsername) void
setFullNameFieldName
(String fullNameFieldName) void
setGroupsFieldName
(String groupsFieldName) void
setLogoutFromOpenidProvider
(boolean logoutFromOpenidProvider) void
setNonceDisabled
(boolean nonceDisabled) void
setPkceEnabled
(boolean pkceEnabled) void
setPostLogoutRedirectUrl
(String postLogoutRedirectUrl) void
setRootURLFromRequest
(boolean rootURLFromRequest) void
setSendScopesInTokenRequest
(boolean sendScopesInTokenRequest) void
setTokenExpirationCheckDisabled
(boolean tokenExpirationCheckDisabled) void
setTokenFieldToCheckKey
(String tokenFieldToCheckKey) void
setTokenFieldToCheckValue
(String tokenFieldToCheckValue) void
setUserNameField
(String userNameField) Methods inherited from class hudson.security.SecurityRealm
all, allowsSignup, canLogOut, commenceSignup, commonFilters, createCliAuthenticator, doCaptcha, getCaptchaSupport, getCaptchaSupportDescriptors, getDescriptor, getFrom, getGroupIdStrategy, getPostLogOutUrl, getSecurityComponents, getUserIdStrategy, loadGroupByGroupname, loadGroupByGroupname, loadGroupByGroupname2, loadUserByUsername, loadUserByUsername2, setCaptchaSupport, validateCaptcha
-
Constructor Details
-
OicSecurityRealm
@DataBoundConstructor public OicSecurityRealm(String clientId, Secret clientSecret, OicServerConfiguration serverConfiguration, Boolean disableSslVerification) throws IOException, Descriptor.FormException - Throws:
IOException
Descriptor.FormException
-
-
Method Details
-
readResolve
- Throws:
ObjectStreamException
-
getClientId
-
getClientSecret
-
getServerConfiguration
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public OicServerConfiguration getServerConfiguration() -
getUserNameField
-
getTokenFieldToCheckKey
-
getTokenFieldToCheckValue
-
getFullNameFieldName
-
getEmailFieldName
-
getGroupsFieldName
-
isDisableSslVerification
public boolean isDisableSslVerification() -
isLogoutFromOpenidProvider
public boolean isLogoutFromOpenidProvider() -
getPostLogoutRedirectUrl
-
isEscapeHatchEnabled
public boolean isEscapeHatchEnabled() -
getEscapeHatchUsername
-
getEscapeHatchSecret
-
getEscapeHatchGroup
-
isRootURLFromRequest
public boolean isRootURLFromRequest() -
isSendScopesInTokenRequest
public boolean isSendScopesInTokenRequest() -
isPkceEnabled
public boolean isPkceEnabled() -
isDisableTokenVerification
public boolean isDisableTokenVerification() -
isNonceDisabled
public boolean isNonceDisabled() -
isTokenExpirationCheckDisabled
public boolean isTokenExpirationCheckDisabled() -
isAllowTokenAccessWithoutOicSession
public boolean isAllowTokenAccessWithoutOicSession() -
getAllowedTokenExpirationClockSkewSeconds
-
createProxyAwareResourceRetriver
@PostConstruct @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public void createProxyAwareResourceRetriver() -
filterNonFIPS140CompliantAlgorithms
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) protected void filterNonFIPS140CompliantAlgorithms(@NonNull com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata oidcProviderMetadata) -
buildOidcClient
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) protected org.pac4j.oidc.client.OidcClient buildOidcClient() -
setUserNameField
-
setTokenFieldToCheckKey
-
setTokenFieldToCheckValue
-
setFullNameFieldName
-
setEmailFieldName
-
compileJMESPath
-
setGroupsFieldName
-
setLogoutFromOpenidProvider
@DataBoundSetter public void setLogoutFromOpenidProvider(boolean logoutFromOpenidProvider) -
setPostLogoutRedirectUrl
-
setEscapeHatchEnabled
@DataBoundSetter public void setEscapeHatchEnabled(boolean escapeHatchEnabled) throws Descriptor.FormException - Throws:
Descriptor.FormException
-
setEscapeHatchUsername
-
setEscapeHatchSecret
-
checkEscapeHatch
-
setEscapeHatchGroup
-
setRootURLFromRequest
@DataBoundSetter public void setRootURLFromRequest(boolean rootURLFromRequest) -
setSendScopesInTokenRequest
@DataBoundSetter public void setSendScopesInTokenRequest(boolean sendScopesInTokenRequest) -
setPkceEnabled
@DataBoundSetter public void setPkceEnabled(boolean pkceEnabled) -
setDisableTokenVerification
@DataBoundSetter public void setDisableTokenVerification(boolean disableTokenVerification) throws Descriptor.FormException - Throws:
Descriptor.FormException
-
setNonceDisabled
@DataBoundSetter public void setNonceDisabled(boolean nonceDisabled) -
setTokenExpirationCheckDisabled
@DataBoundSetter public void setTokenExpirationCheckDisabled(boolean tokenExpirationCheckDisabled) -
setAllowTokenAccessWithoutOicSession
@DataBoundSetter public void setAllowTokenAccessWithoutOicSession(boolean allowTokenAccessWithoutOicSession) -
setAllowedTokenExpirationClockSkewSeconds
@DataBoundSetter public void setAllowedTokenExpirationClockSkewSeconds(Long allowedTokenExpirationClockSkewSeconds) -
getLoginUrl
- Overrides:
getLoginUrl
in classSecurityRealm
-
getAuthenticationGatewayUrl
- Overrides:
getAuthenticationGatewayUrl
in classSecurityRealm
-
createFilter
public javax.servlet.Filter createFilter(javax.servlet.FilterConfig filterConfig) - Overrides:
createFilter
in classSecurityRealm
-
createSecurityComponents
- Specified by:
createSecurityComponents
in classSecurityRealm
-
getValidRedirectUrl
Validate post-login redirect URL For security reasons, the login must not redirect outside Jenkins realm. For useablility reason, the logout page should redirect to root url. -
doCommenceLogin
@Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public void doCommenceLogin(@QueryParameter String from, @Header("Referer") String referer) throws URISyntaxException Handles the the securityRealm/commenceLogin resource and sends the user off to the IdP- Parameters:
from
- the relative URL to the page that the user has just come fromreferer
- the HTTP referer header (where to redirect the user back to after login has finished)- Throws:
URISyntaxException
- if the provided data is invalid
-
getStringField
-
doLogout
@Restricted(org.kohsuke.accmod.restrictions.DoNotUse.class) public void doLogout(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp) throws IOException, javax.servlet.ServletException - Overrides:
doLogout
in classSecurityRealm
- Throws:
IOException
javax.servlet.ServletException
-
getPostLogOutUrl2
public String getPostLogOutUrl2(org.kohsuke.stapler.StaplerRequest req, org.springframework.security.core.Authentication auth) - Overrides:
getPostLogOutUrl2
in classSecurityRealm
-
doFinishLogin
public void doFinishLogin(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response) throws IOException, ParseException This is where the user comes back to at the end of the OpenID redirect ping-pong.- Parameters:
request
- The user's request- Throws:
ParseException
- if the JWT (or other response) could not be parsed.IOException
-
handleTokenExpiration
public boolean handleTokenExpiration(javax.servlet.http.HttpServletRequest httpRequest, javax.servlet.http.HttpServletResponse httpResponse) throws IOException, javax.servlet.ServletException Handles Token Expiration.- Throws:
IOException
- a low level exceptionjavax.servlet.ServletException
-
isExpired
-