Modified remember-me service not to rely on the clear-text password.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@6772 71c3de6d-444a-0410-be80-ed276b4c234a

Modified remember-me service not to rely on the clear-text password.
git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@6772 71c3de6d-444a-0410-be80-ed276b4c234a
11cdfa4a · kohsuke · 19a74921 · 11cdfa4a · 11cdfa4a
2 changed file
--- a/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
+++ b/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
+package hudson.security;
+
+import org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices;
+import org.acegisecurity.userdetails.UserDetails;
+import org.acegisecurity.Authentication;
+import org.apache.commons.codec.digest.DigestUtils;
+
+/**
+ * {@link TokenBasedRememberMeServices} with modification so as not to rely
+ * on the user password being available.
+ *
+ * <p>
+ * This allows remember-me to work with security realms where the password
+ * is never available in clear text.
+ *
+ * @author Kohsuke Kawaguchi
+ */
+public class TokenBasedRememberMeServices2 extends TokenBasedRememberMeServices {
+    protected String makeTokenSignature(long tokenExpiryTime, UserDetails userDetails) {
+        String expectedTokenSignature = DigestUtils.md5Hex(userDetails.getUsername() + ":" + tokenExpiryTime + ":"
+                + "N/A" + ":" + getKey());
+        return expectedTokenSignature;
+    }
+
+    protected String retrievePassword(Authentication successfulAuthentication) {
+        return "N/A";
+    }
+}
--- a/war/resources/WEB-INF/security/SecurityFilters.groovy
+++ b/war/resources/WEB-INF/security/SecurityFilters.groovy
@@ -15,7 +15,7 @@ import hudson.security.BasicAuthenticationFilter
 import hudson.security.AuthenticationProcessingFilter2
 import hudson.security.UnwrapSecurityExceptionFilter
 import org.acegisecurity.ui.rememberme.RememberMeProcessingFilter
-import org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices
+import hudson.security.TokenBasedRememberMeServices2

 // providers that apply to both patterns
 def commonProviders(redirectUrl) {
@@ -34,7 +34,7 @@ def commonProviders(redirectUrl) {
    ]
 }

-rememberMeServices(TokenBasedRememberMeServices) {
+rememberMeServices(TokenBasedRememberMeServices2) {
    userDetailsService = userDetailsServiceProxy;
    key = app.getSecretKey();
    parameter = "remember_me"; // this is the form field name in login.jelly