for ContainerAuthentication to work the list of group/role names need to be known in advance.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@6470 71c3de6d-444a-0410-be80-ed276b4c234a

core/src/main/java/hudson/security/AuthorizationStrategy.java

@@ -9,6 +9,9 @@ import org.acegisecurity.Authentication;
 import org.kohsuke.stapler.StaplerRequest;
 
 import java.io.Serializable;
+import java.util.List;
+import java.util.Collection;
+import java.util.Collections;
 
 import net.sf.json.JSONObject;
 
@@ -41,6 +44,18 @@ public abstract class AuthorizationStrategy implements Describable<Authorization
      */
     public abstract ACL getRootACL();
 
+    /**
+     * Returns the list of all group/role names used in this authorization strategy,
+     * and the ACL returned from the {@link #getRootACL()} method.
+     * <p>
+     * This method is used by {@link ContainerAuthentication} to work around the servlet API issue
+     * that prevents us from enumerating roles that the user has.
+     *
+     * @return
+     *      never null.
+     */
+    public abstract Collection<String> getGroups();
+
     /**
      * All registered {@link SecurityRealm} implementations.
      */
@@ -69,6 +84,10 @@ public abstract class AuthorizationStrategy implements Describable<Authorization
             return UNSECURED_ACL;
         }
 
+        public Collection<String> getGroups() {
+            return Collections.emptySet();
+        }
+
         private static final ACL UNSECURED_ACL = new ACL() {
             public boolean hasPermission(Authentication a, Permission permission) {
                 return true;

core/src/main/java/hudson/security/ContainerAuthentication.java

@@ -6,6 +6,10 @@ import org.acegisecurity.GrantedAuthorityImpl;
 
 import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
+import java.util.List;
+import java.util.ArrayList;
+
+import hudson.model.Hudson;
 
 /**
  * {@link Authentication} implementation for {@link Principal}
@@ -19,19 +23,24 @@ import java.security.Principal;
  */
 public final class ContainerAuthentication implements Authentication {
     private final HttpServletRequest request;
+    private GrantedAuthority[] authorities;
 
     public ContainerAuthentication(HttpServletRequest request) {
         this.request = request;
     }
 
     public GrantedAuthority[] getAuthorities() {
-        // Servlet API doesn't provide a way to list up all roles the current user
-        // has, so we are approximating the current user's capability by checking
-        // the 'admin' role.
-        if (request.isUserInRole("admin"))
-            return ADMIN_AUTHORITY;
-        else
-            return NO_AUTHORITY;
+        if(authorities==null) {
+            // Servlet API doesn't provide a way to list up all roles the current user
+            // has, so we need to ask AuthorizationStrategy what roles it is going to check against.
+            List<GrantedAuthority> l = new ArrayList<GrantedAuthority>();
+            for( String g : Hudson.getInstance().getAuthorizationStrategy().getGroups()) {
+                if(request.isUserInRole(g))
+                    l.add(new GrantedAuthorityImpl(g));
+            }
+            authorities = l.toArray(new GrantedAuthority[l.size()]);
+        }
+        return authorities;
     }
 
     public Object getCredentials() {

core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java

@@ -4,6 +4,9 @@ import hudson.model.Descriptor;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.StaplerRequest;
 
+import java.util.List;
+import java.util.Collections;
+
 /**
  * {@link AuthorizationStrategy} that grants full-control to authenticated user
  * (other than anonymous users.)
@@ -16,6 +19,10 @@ public class FullControlOnceLoggedInAuthorizationStrategy extends AuthorizationS
         return THE_ACL;
     }
 
+    public List<String> getGroups() {
+        return Collections.emptyList();
+    }
+
     private static final SparseACL THE_ACL = new SparseACL(null);
 
     static {

core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java

@@ -38,6 +38,8 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy {
      */
     private final Map<Permission,Set<String>> grantedPermissions = new HashMap<Permission, Set<String>>();
 
+    private final Set<String> sids = new HashSet<String>();
+
     /**
      * Adds to {@link #grantedPermissions}.
      * Use of this method should be limited during construction,
@@ -48,7 +50,7 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy {
         if(set==null)
             grantedPermissions.put(p,set = new HashSet<String>());
         set.add(sid);
-
+        sids.add(sid);
     }
 
     /**
@@ -65,6 +67,10 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy {
         return acl;
     }
 
+    public Set<String> getGroups() {
+        return sids;
+    }
+
     private Object readResolve() {
         acl = new AclImpl();
         return this;

core/src/main/java/hudson/security/LegacyAuthorizationStrategy.java

@@ -5,6 +5,9 @@ import org.acegisecurity.acls.sid.GrantedAuthoritySid;
 import org.kohsuke.stapler.StaplerRequest;
 import net.sf.json.JSONObject;
 
+import java.util.Collection;
+import java.util.Collections;
+
 /**
  * {@link AuthorizationStrategy} implementation that emulates the legacy behavior.
  * @author Kohsuke Kawaguchi
@@ -19,6 +22,10 @@ public final class LegacyAuthorizationStrategy extends AuthorizationStrategy {
         return LEGACY_ACL;
     }
 
+    public Collection<String> getGroups() {
+        return Collections.singleton("admin");
+    }
+
     public Descriptor<AuthorizationStrategy> getDescriptor() {
         return DESCRIPTOR;
     }