expand the detail reporting

4f828a32 · Kohsuke Kawaguchi · b8343469 · 4f828a32 · 4f828a32 · 4f828a32
4 changed file
--- a/core/src/main/java/hudson/security/AccessDeniedException2.java
+++ b/core/src/main/java/hudson/security/AccessDeniedException2.java
@@ -2,6 +2,10 @@ package hudson.security;

 import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.Authentication;
+import org.acegisecurity.GrantedAuthority;
+
+import javax.servlet.http.HttpServletResponse;
+import java.io.PrintWriter;

 /**
 * {@link AccessDeniedException} with more information.
@@ -28,4 +32,36 @@ public class AccessDeniedException2 extends AccessDeniedException {
        this.authentication = authentication;
        this.permission = permission;
    }
+
+    /**
+     * Reports the details of the access failure in HTTP headers to assist diagnosis.
+     */
+    public void reportAsHeaders(HttpServletResponse rsp) {
+        rsp.addHeader("X-You-Are-Authenticated-As",authentication.getName());
+        for (GrantedAuthority auth : authentication.getAuthorities()) {
+            rsp.addHeader("X-You-Are-In-Group",auth.getAuthority());
+        }
+        rsp.addHeader("X-Required-Permission", permission.getId());
+        for (Permission p=permission.impliedBy; p!=null; p=p.impliedBy) {
+            rsp.addHeader("X-Permission-Implied-By", p.getId());
+        }
+    }
+
+    /**
+     * Reports the details of the access failure.
+     * This method is similar to {@link #reportAsHeaders(HttpServletResponse)} for the intention
+     * but instead of using HTTP headers, this version is meant to go inside the payload.
+     */
+    public void report(PrintWriter w) {
+        w.println("You are authenticated as: "+authentication.getName());
+        w.println("Groups that you are in:");
+        for (GrantedAuthority auth : authentication.getAuthorities()) {
+            w.println("  "+auth.getAuthority());
+        }
+
+        w.println("Permission you need to have (but didn't): "+permission.getId());
+        for (Permission p=permission.impliedBy; p!=null; p=p.impliedBy) {
+            w.println(" ... which is implied by: "+p.getId());
+        }
+    }
 }
--- a/core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
+++ b/core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
@@ -26,19 +26,14 @@ package hudson.security;
 import jenkins.model.Jenkins;
 import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.ui.AccessDeniedHandler;
-import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.WebApp;

 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
-import javax.servlet.ServletConfig;
-import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.Enumeration;
-import java.util.Vector;

 /**
 * Handles {@link AccessDeniedException} happened during request processing.
@@ -47,12 +42,16 @@ import java.util.Vector;
 * @author Kohsuke Kawaguchi
 */
 public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
-    public void handle(ServletRequest request, ServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
+    public void handle(ServletRequest request, ServletResponse response, AccessDeniedException cause) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse rsp = (HttpServletResponse) response;

        rsp.setStatus(HttpServletResponse.SC_FORBIDDEN);
-        req.setAttribute("exception",accessDeniedException);
+        req.setAttribute("exception",cause);
+
+        if (cause instanceof AccessDeniedException2) {
+            ((AccessDeniedException2)cause).reportAsHeaders(rsp);
+        }

        WebApp.get(Jenkins.getInstance().servletContext).getSomeStapler()
                .invoke(req,rsp, Jenkins.getInstance(), "/accessDenied");

--- a/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java
+++ b/core/src/main/java/hudson/security/HudsonAuthenticationEntryPoint.java
@@ -25,7 +25,6 @@ package hudson.security;

 import com.google.common.base.Strings;
 import org.acegisecurity.AuthenticationException;
-import org.acegisecurity.GrantedAuthority;
 import org.acegisecurity.InsufficientAuthenticationException;
 import org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint;

@@ -82,18 +81,12 @@ public class HudsonAuthenticationEntryPoint extends AuthenticationProcessingFilt
            rsp.setStatus(SC_FORBIDDEN);
            rsp.setContentType("text/html;charset=UTF-8");

+            AccessDeniedException2 cause = null;
            // report the diagnosis information if possible
            if (reason instanceof InsufficientAuthenticationException) {
                if (reason.getCause() instanceof AccessDeniedException2) {
-                    AccessDeniedException2 cause = (AccessDeniedException2) reason.getCause();
-                    rsp.addHeader("X-You-Are-Authenticated-As",cause.authentication.getName());
-                    for (GrantedAuthority auth : cause.authentication.getAuthorities()) {
-                        rsp.addHeader("X-You-Are-In-Group",auth.getAuthority());
-                    }
-                    rsp.addHeader("X-Required-Permission", cause.permission.getId());
-                    for (Permission p=cause.permission.impliedBy; p!=null; p=p.impliedBy) {
-                        rsp.addHeader("X-Permission-Implied-By", p.getId());
-                    }
+                    cause = (AccessDeniedException2) reason.getCause();
+                    cause.reportAsHeaders(rsp);
                }
            }

@@ -108,9 +101,17 @@ public class HudsonAuthenticationEntryPoint extends AuthenticationProcessingFilt
                "<meta http-equiv='refresh' content='1;url=%1$s'/>" +
                "<script>window.location.replace('%1$s');</script>" +
                "</head>" +
-                "<body style='background-color:white; color:white;'>" +
-                "Authentication required</body></html>", loginForm
-            );
+                "<body style='background-color:white; color:white;'>\n" +
+                "\n\n"+
+                "Authentication required\n"+
+                "<!--\n",loginForm);
+
+            if (cause!=null)
+                cause.report(out);
+
+            out.printf(
+                "-->\n\n"+
+                "</body></html>");
            // Turn Off "Show Friendly HTTP Error Messages" Feature on the Server Side.
            // See http://support.microsoft.com/kb/294807
            for (int i=0; i < 10; i++)

--- a/core/src/main/java/jenkins/security/ExceptionTranslationFilter.java
+++ b/core/src/main/java/jenkins/security/ExceptionTranslationFilter.java
@@ -220,7 +220,7 @@ public class ExceptionTranslationFilter implements Filter, InitializingBean {
 		// existing Authentication is no longer considered valid
 		SecurityContextHolder.getContext().setAuthentication(null);

-		authenticationEntryPoint.commence(httpRequest, (HttpServletResponse) response, reason);
+		authenticationEntryPoint.commence(httpRequest, response, reason);
 	}

 	public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler) {