Reworked UnprotectedRootAction display to be in configure page for better...

Reworked UnprotectedRootAction display to be in configure page for better discoverability and possibility of support from reverse-proxy-auth-plugin.

changelog.html

@@ -62,6 +62,8 @@ Upcoming changes</a>
     Saving the update center list after the metadata has been fetched results in 
     the metadata being persisted twice
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-15889">issue 15889</a>)
+  <li class=rfe>
+    When using container-managed security, display unprotected root actions in the configuration screen for convenience.
   <li class=rfe>
     Added <tt>list-plugins</tt> CLI command.
 </ul>
@@ -85,8 +87,6 @@ Upcoming changes</a>
   <li class=rfe>
     Allows to disable triggering of downstream jobs (for a maven job)
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-1295">issue 1295</a>)
-  <li class=rfe>
-    When using container-managed security, display unprotected root actions at <code>/securityRealm/</code> for convenience.
   <li class=rfe>
     E-mail delivery feature was split off to a separate plugin for better modularity.
     (<a href="https://github.com/jenkinsci/jenkins/pull/629">pull 629</a>)

core/src/main/java/hudson/security/LegacySecurityRealm.java

@@ -32,16 +32,10 @@ import groovy.lang.Binding;
 import hudson.model.Descriptor;
 import hudson.util.spring.BeanBuilder;
 import hudson.Extension;
-import hudson.model.Action;
-import hudson.model.UnprotectedRootAction;
-import java.util.Collection;
-import java.util.Set;
-import java.util.TreeSet;
 import net.sf.json.JSONObject;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterConfig;
-import jenkins.model.Jenkins;
 
 /**
  * {@link SecurityRealm} that accepts {@link ContainerAuthentication} object
@@ -94,24 +88,6 @@ public final class LegacySecurityRealm extends SecurityRealm implements Authenti
         return (Filter) context.getBean("legacy");
     }
 
-    /**
-     * Gets a list of unprotected root actions.
-     * These URL prefixes should be exempted from access control checks by container-managed security.
-     * Ideally would be synchronized with {@link Jenkins#getTarget}.
-     * @return a list of {@linkplain Action#getUrlName URL names}
-     * @since 1.494
-     */
-    public Collection<String> getUnprotectedRootActions() {
-        Set<String> names = new TreeSet<String>();
-        names.add("jnlpJars");
-        for (Action a : Jenkins.getInstance().getActions()) {
-            if (a instanceof UnprotectedRootAction) {
-                names.add(a.getUrlName());
-            }
-        }
-        return names;
-    }
-
     @Extension
     public static final Descriptor<SecurityRealm> DESCRIPTOR = new Descriptor<SecurityRealm>() {
         public SecurityRealm newInstance(StaplerRequest req, JSONObject formData) throws FormException {

core/src/main/java/jenkins/model/Jenkins.java

@@ -3529,18 +3529,15 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
             || rest.startsWith("/accessDenied")
             || rest.startsWith("/adjuncts/")
             || rest.startsWith("/signup")
-            || rest.startsWith("/jnlpJars/")
             || rest.startsWith("/tcpSlaveAgentListener")
             || rest.startsWith("/cli")
-            || rest.startsWith("/whoAmI") // XXX why hardcoded here when it is an URA already?
             || rest.startsWith("/federatedLoginService/")
             || rest.startsWith("/securityRealm"))
                 return this;    // URLs that are always visible without READ permission
 
-            for (Action a : getActions()) {
-                if (a instanceof UnprotectedRootAction) {
-                    if (rest.startsWith("/"+a.getUrlName()+"/") || rest.equals("/"+a.getUrlName()))
-                        return this;
+            for (String name : getUnprotectedRootActions()) {
+                if (rest.startsWith("/" + name + "/") || rest.equals("/" + name)) {
+                    return this;
                 }
             }
 
@@ -3549,6 +3546,25 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
         return this;
     }
 
+    /**
+     * Gets a list of unprotected root actions.
+     * These URL prefixes should be exempted from access control checks by container-managed security.
+     * Ideally would be synchronized with {@link #getTarget}.
+     * @return a list of {@linkplain Action#getUrlName URL names}
+     * @since 1.495
+     */
+    public Collection<String> getUnprotectedRootActions() {
+        Set<String> names = new TreeSet<String>();
+        names.add("jnlpJars"); // XXX cleaner to refactor doJnlpJars into a URA
+        // XXX consider caching (expiring cache when actions changes)
+        for (Action a : getActions()) {
+            if (a instanceof UnprotectedRootAction) {
+                names.add(a.getUrlName());
+            }
+        }
+        return names;
+    }
+
     /**
      * Fallback to the primary view.
      */

core/src/main/resources/hudson/security/LegacySecurityRealm/index.jelly → core/src/main/resources/hudson/security/LegacySecurityRealm/config.jelly

@@ -25,16 +25,12 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:i="jelly:fmt" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-    <l:layout permission="${app.ADMINISTER}" title="${%Container-Managed Security}">
-        <st:include page="sidepanel.jelly"/>
-        <l:main-panel>
-            <h1>${%Unprotected URLs}</h1>
-            <p>${%blurb}</p>
-            <ul>
-                <j:forEach var="name" items="${it.unprotectedRootActions}">
-                    <li><a href="../${name}"><code>${name}</code></a></li>
-                </j:forEach>
-            </ul>
-        </l:main-panel>
-    </l:layout>
+    <f:entry title="${%Unprotected URLs}">
+        <p>${%blurb}</p>
+        <ul>
+            <j:forEach var="name" items="${app.unprotectedRootActions}">
+                <li><a href="../${name}" target="_blank"><code>${name}</code></a></li>
+            </j:forEach>
+        </ul>
+    </f:entry>
 </j:jelly>

core/src/main/resources/hudson/security/LegacySecurityRealm/sidepanel.jelly

-<!--
-The MIT License
-
-Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
--->
-
-<?jelly escape-by-default='true'?>
-<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:s="/lib/form">
-  <l:header />
-  <l:side-panel>
-    <l:tasks>
-      <l:task icon="images/24x24/up.png" href="${rootURL}/" title="${%Back to Dashboard}" />
-      <l:task icon="images/24x24/setting.png" href="${rootURL}/manage" title="${%Manage Jenkins}" permission="${app.ADMINISTER}" />
-    </l:tasks>
-  </l:side-panel>
-</j:jelly>
\ No newline at end of file

war/src/main/webapp/help/security/container-realm.html

@@ -13,6 +13,4 @@
       or custom implementations to connect to a specific user realm.) 
     </li>
   </ol>
-
-  <p>After enabling, see <a href="securityRealm/"><code>securityRealm</code></a> for URLs which ought to be whitelisted by the container.</p>
-</div>
\ No newline at end of file
+</div>