diff --git a/core/src/main/java/hudson/security/AuthorizationStrategy.java b/core/src/main/java/hudson/security/AuthorizationStrategy.java index 5ad0bdc4a765e80f74a06252059497e3ccb5e522..25d1917606f427183c3d6cd1efa2294863ab84c3 100644 --- a/core/src/main/java/hudson/security/AuthorizationStrategy.java +++ b/core/src/main/java/hudson/security/AuthorizationStrategy.java @@ -9,6 +9,9 @@ import org.acegisecurity.Authentication; import org.kohsuke.stapler.StaplerRequest; import java.io.Serializable; +import java.util.List; +import java.util.Collection; +import java.util.Collections; import net.sf.json.JSONObject; @@ -41,6 +44,18 @@ public abstract class AuthorizationStrategy implements Describable + * This method is used by {@link ContainerAuthentication} to work around the servlet API issue + * that prevents us from enumerating roles that the user has. + * + * @return + * never null. + */ + public abstract Collection getGroups(); + /** * All registered {@link SecurityRealm} implementations. */ @@ -69,6 +84,10 @@ public abstract class AuthorizationStrategy implements Describable getGroups() { + return Collections.emptySet(); + } + private static final ACL UNSECURED_ACL = new ACL() { public boolean hasPermission(Authentication a, Permission permission) { return true; diff --git a/core/src/main/java/hudson/security/ContainerAuthentication.java b/core/src/main/java/hudson/security/ContainerAuthentication.java index dd4b717c9accfb3e67d8f88d1a50a6e8d2a544b8..18433b7a297e7f7f081ce7fb5f2534f933c3338e 100644 --- a/core/src/main/java/hudson/security/ContainerAuthentication.java +++ b/core/src/main/java/hudson/security/ContainerAuthentication.java @@ -6,6 +6,10 @@ import org.acegisecurity.GrantedAuthorityImpl; import javax.servlet.http.HttpServletRequest; import java.security.Principal; +import java.util.List; +import java.util.ArrayList; + +import hudson.model.Hudson; /** * {@link Authentication} implementation for {@link Principal} @@ -19,19 +23,24 @@ import java.security.Principal; */ public final class ContainerAuthentication implements Authentication { private final HttpServletRequest request; + private GrantedAuthority[] authorities; public ContainerAuthentication(HttpServletRequest request) { this.request = request; } public GrantedAuthority[] getAuthorities() { - // Servlet API doesn't provide a way to list up all roles the current user - // has, so we are approximating the current user's capability by checking - // the 'admin' role. - if (request.isUserInRole("admin")) - return ADMIN_AUTHORITY; - else - return NO_AUTHORITY; + if(authorities==null) { + // Servlet API doesn't provide a way to list up all roles the current user + // has, so we need to ask AuthorizationStrategy what roles it is going to check against. + List l = new ArrayList(); + for( String g : Hudson.getInstance().getAuthorizationStrategy().getGroups()) { + if(request.isUserInRole(g)) + l.add(new GrantedAuthorityImpl(g)); + } + authorities = l.toArray(new GrantedAuthority[l.size()]); + } + return authorities; } public Object getCredentials() { diff --git a/core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java b/core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java index 9b80d62a0d170d6336af1b5672d864b8c61b4b1d..755995813c9ce945cd3f7dd5ea5ea075ec887826 100644 --- a/core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java +++ b/core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java @@ -4,6 +4,9 @@ import hudson.model.Descriptor; import net.sf.json.JSONObject; import org.kohsuke.stapler.StaplerRequest; +import java.util.List; +import java.util.Collections; + /** * {@link AuthorizationStrategy} that grants full-control to authenticated user * (other than anonymous users.) @@ -16,6 +19,10 @@ public class FullControlOnceLoggedInAuthorizationStrategy extends AuthorizationS return THE_ACL; } + public List getGroups() { + return Collections.emptyList(); + } + private static final SparseACL THE_ACL = new SparseACL(null); static { diff --git a/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java b/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java index dfb5dcf471a75932a582f40d29ae5d710124b50b..8608c0263c3f12293d1d6dc82d3eff547c4aaf7a 100644 --- a/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java +++ b/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java @@ -38,6 +38,8 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy { */ private final Map> grantedPermissions = new HashMap>(); + private final Set sids = new HashSet(); + /** * Adds to {@link #grantedPermissions}. * Use of this method should be limited during construction, @@ -48,7 +50,7 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy { if(set==null) grantedPermissions.put(p,set = new HashSet()); set.add(sid); - + sids.add(sid); } /** @@ -65,6 +67,10 @@ public class GlobalMatrixAuthorizationStrategy extends AuthorizationStrategy { return acl; } + public Set getGroups() { + return sids; + } + private Object readResolve() { acl = new AclImpl(); return this; diff --git a/core/src/main/java/hudson/security/LegacyAuthorizationStrategy.java b/core/src/main/java/hudson/security/LegacyAuthorizationStrategy.java index 346b5b97594451d4f228f69e7241e3d104e5f898..1d3c74aea0c878d768f0ea9686792a33b52f5c7e 100644 --- a/core/src/main/java/hudson/security/LegacyAuthorizationStrategy.java +++ b/core/src/main/java/hudson/security/LegacyAuthorizationStrategy.java @@ -5,6 +5,9 @@ import org.acegisecurity.acls.sid.GrantedAuthoritySid; import org.kohsuke.stapler.StaplerRequest; import net.sf.json.JSONObject; +import java.util.Collection; +import java.util.Collections; + /** * {@link AuthorizationStrategy} implementation that emulates the legacy behavior. * @author Kohsuke Kawaguchi @@ -19,6 +22,10 @@ public final class LegacyAuthorizationStrategy extends AuthorizationStrategy { return LEGACY_ACL; } + public Collection getGroups() { + return Collections.singleton("admin"); + } + public Descriptor getDescriptor() { return DESCRIPTOR; }