Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
LinuxSuRen
jenkins
提交
78fde58c
J
jenkins
项目概览
LinuxSuRen
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
78fde58c
编写于
11月 07, 2014
作者:
J
Jesse Glick
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'master' of
git://github.com/jenkinsci/jenkins
上级
ae053472
e451789a
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
65 addition
and
38 deletion
+65
-38
changelog.html
changelog.html
+3
-0
core/src/main/java/hudson/model/AbstractProject.java
core/src/main/java/hudson/model/AbstractProject.java
+10
-0
core/src/main/java/jenkins/security/BasicHeaderProcessor.java
.../src/main/java/jenkins/security/BasicHeaderProcessor.java
+46
-1
core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java
...enkins/security/BasicHeaderRealPasswordAuthenticator.java
+0
-36
test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java
.../test/java/jenkins/security/BasicHeaderProcessorTest.java
+6
-1
未找到文件。
changelog.html
浏览文件 @
78fde58c
...
...
@@ -55,6 +55,9 @@ Upcoming changes</a>
<!-- Record your changes in the trunk here. -->
<div
id=
"trunk"
style=
"display:none"
>
<!--=TRUNK-BEGIN=-->
<ul
class=
image
>
<li
class=
bug
>
Basic Authentication in combination with Session is broken
(
<a
href=
"https://issues.jenkins-ci.org/browse/JENKINS-25144"
>
issue 25144
</a>
)
<li
class=
bug
>
Some plugins broken since 1.584 if they expected certain events to be fired under a specific user ID.
(
<a
href=
"https://issues.jenkins-ci.org/browse/JENKINS-25400"
>
issue 25400
</a>
)
...
...
core/src/main/java/hudson/model/AbstractProject.java
浏览文件 @
78fde58c
...
...
@@ -2043,6 +2043,16 @@ public abstract class AbstractProject<P extends AbstractProject<P,R>,R extends A
public
FormValidation
doCheckLabel
(
@AncestorInPath
AbstractProject
<?,?>
project
,
@QueryParameter
String
value
)
{
return
validateLabelExpression
(
value
,
project
);
}
/**
* Validate label expression string.
*
* @param project May be specified to perform project specific validation.
* @since 1.590
*/
public
static
@Nonnull
FormValidation
validateLabelExpression
(
String
value
,
@CheckForNull
AbstractProject
<?,
?>
project
)
{
if
(
Util
.
fixEmpty
(
value
)==
null
)
return
FormValidation
.
ok
();
// nothing typed yet
try
{
...
...
core/src/main/java/jenkins/security/BasicHeaderProcessor.java
浏览文件 @
78fde58c
package
jenkins.security
;
import
hudson.security.ACL
;
import
hudson.security.SecurityRealm
;
import
hudson.util.Scrambler
;
import
org.acegisecurity.Authentication
;
import
org.acegisecurity.AuthenticationManager
;
import
org.acegisecurity.BadCredentialsException
;
import
org.acegisecurity.context.SecurityContext
;
import
org.acegisecurity.context.SecurityContextHolder
;
import
org.acegisecurity.providers.UsernamePasswordAuthenticationToken
;
import
org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken
;
import
org.acegisecurity.ui.AuthenticationEntryPoint
;
import
org.acegisecurity.ui.rememberme.NullRememberMeServices
;
import
org.acegisecurity.ui.rememberme.RememberMeServices
;
...
...
@@ -67,6 +69,11 @@ public class BasicHeaderProcessor implements Filter {
String
username
=
uidpassword
.
substring
(
0
,
idx
);
String
password
=
uidpassword
.
substring
(
idx
+
1
);
if
(!
authenticationIsRequired
(
username
))
{
chain
.
doFilter
(
request
,
response
);
return
;
}
for
(
BasicHeaderAuthenticator
a
:
all
())
{
LOGGER
.
log
(
FINER
,
"Attempting to authenticate with {0}"
,
a
);
Authentication
auth
=
a
.
authenticate
(
req
,
rsp
,
username
,
password
);
...
...
@@ -87,6 +94,44 @@ public class BasicHeaderProcessor implements Filter {
}
}
/**
* If the request is already authenticated to the same user that the Authorization header claims,
* for example through the HTTP session, then there's no need to re-authenticate the Authorization header,
* so we skip that. This avoids stressing {@link SecurityRealm}.
*
* This method returns false if we can take this short-cut.
*/
// taken from BasicProcessingFilter.java
protected
boolean
authenticationIsRequired
(
String
username
)
{
// Only reauthenticate if username doesn't match SecurityContextHolder and user isn't authenticated
// (see SEC-53)
Authentication
existingAuth
=
SecurityContextHolder
.
getContext
().
getAuthentication
();
if
(
existingAuth
==
null
||
!
existingAuth
.
isAuthenticated
())
{
return
true
;
}
// Limit username comparison to providers which use usernames (ie UsernamePasswordAuthenticationToken)
// (see SEC-348)
if
(
existingAuth
instanceof
UsernamePasswordAuthenticationToken
&&
!
existingAuth
.
getName
().
equals
(
username
))
{
return
true
;
}
// Handle unusual condition where an AnonymousAuthenticationToken is already present
// This shouldn't happen very often, as BasicProcessingFitler is meant to be earlier in the filter
// chain than AnonymousProcessingFilter. Nevertheless, presence of both an AnonymousAuthenticationToken
// together with a BASIC authentication request header should indicate reauthentication using the
// BASIC protocol is desirable. This behaviour is also consistent with that provided by form and digest,
// both of which force re-authentication if the respective header is detected (and in doing so replace
// any existing AnonymousAuthenticationToken). See SEC-610.
if
(
existingAuth
instanceof
AnonymousAuthenticationToken
)
{
return
true
;
}
return
false
;
}
protected
void
success
(
HttpServletRequest
req
,
HttpServletResponse
rsp
,
FilterChain
chain
,
Authentication
auth
)
throws
IOException
,
ServletException
{
rememberMeServices
.
loginSuccess
(
req
,
rsp
,
auth
);
...
...
core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java
浏览文件 @
78fde58c
...
...
@@ -19,9 +19,7 @@ import jenkins.ExtensionFilter;
import
jenkins.model.Jenkins
;
import
org.acegisecurity.Authentication
;
import
org.acegisecurity.AuthenticationException
;
import
org.acegisecurity.context.SecurityContextHolder
;
import
org.acegisecurity.providers.UsernamePasswordAuthenticationToken
;
import
org.acegisecurity.providers.anonymous.AnonymousAuthenticationToken
;
import
org.acegisecurity.ui.AuthenticationDetailsSource
;
import
org.acegisecurity.ui.AuthenticationDetailsSourceImpl
;
...
...
@@ -49,9 +47,6 @@ public class BasicHeaderRealPasswordAuthenticator extends BasicHeaderAuthenticat
if
(
DISABLE
)
return
null
;
if
(!
authenticationIsRequired
(
username
))
return
null
;
UsernamePasswordAuthenticationToken
authRequest
=
new
UsernamePasswordAuthenticationToken
(
username
,
password
);
authRequest
.
setDetails
(
authenticationDetailsSource
.
buildDetails
(
req
));
...
...
@@ -68,37 +63,6 @@ public class BasicHeaderRealPasswordAuthenticator extends BasicHeaderAuthenticat
}
}
// taken from BasicProcessingFilter.java
protected
boolean
authenticationIsRequired
(
String
username
)
{
// Only reauthenticate if username doesn't match SecurityContextHolder and user isn't authenticated
// (see SEC-53)
Authentication
existingAuth
=
SecurityContextHolder
.
getContext
().
getAuthentication
();
if
(
existingAuth
==
null
||
!
existingAuth
.
isAuthenticated
())
{
return
true
;
}
// Limit username comparison to providers which use usernames (ie UsernamePasswordAuthenticationToken)
// (see SEC-348)
if
(
existingAuth
instanceof
UsernamePasswordAuthenticationToken
&&
!
existingAuth
.
getName
().
equals
(
username
))
{
return
true
;
}
// Handle unusual condition where an AnonymousAuthenticationToken is already present
// This shouldn't happen very often, as BasicProcessingFitler is meant to be earlier in the filter
// chain than AnonymousProcessingFilter. Nevertheless, presence of both an AnonymousAuthenticationToken
// together with a BASIC authentication request header should indicate reauthentication using the
// BASIC protocol is desirable. This behaviour is also consistent with that provided by form and digest,
// both of which force re-authentication if the respective header is detected (and in doing so replace
// any existing AnonymousAuthenticationToken). See SEC-610.
if
(
existingAuth
instanceof
AnonymousAuthenticationToken
)
{
return
true
;
}
return
false
;
}
private
static
final
Logger
LOGGER
=
Logger
.
getLogger
(
BasicHeaderRealPasswordAuthenticator
.
class
.
getName
());
/**
...
...
test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java
浏览文件 @
78fde58c
...
...
@@ -56,10 +56,15 @@ public class BasicHeaderProcessorTest extends Assert {
// call with incorrect password
makeRequestAndFail
(
"foo:bar"
);
// if the session cookie is valid, then basic header won't be needed
wc
.
login
(
"bar"
);
// if the session cookie is valid, then basic header won't be needed
makeRequestWithAuthAndVerify
(
null
,
"bar"
);
// if the session cookie is valid, and basic header is set anyway login should not fail either
makeRequestWithAuthAndVerify
(
"bar:bar"
,
"bar"
);
// but if the password is incorrect, it should fail, instead of silently logging in as the user indicated by session
makeRequestAndFail
(
"foo:bar"
);
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录