When the legacy authentication is used and anonymous doesn't have the view...

When the legacy authentication is used and anonymous doesn't have the view access, often the user was taken back to ajaxExecutors page after a successful login, due to multiple concurrent login attempts initiated by AJAX requests.


git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@7817 71c3de6d-444a-0410-be80-ed276b4c234a

core/src/main/java/hudson/security/LegacyAuthenticationProcessingFilterEntryPoint.java

+package hudson.security;
+
+import org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint;
+import org.acegisecurity.AuthenticationException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+/**
+ * {@link AuthenticationProcessingFilterEntryPoint} for
+ * {@link LegacySecurityRealm}, which puts the 'from' query parameter
+ * into the request, so that the user will be brought back to where
+ * he came from, after the authentication.
+ *
+ * @see LegacySecurityRealm
+ * @author Kohsuke Kawaguchi
+ */
+public class LegacyAuthenticationProcessingFilterEntryPoint extends AuthenticationProcessingFilterEntryPoint {
+
+    public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException) throws IOException, ServletException {
+        String requestedWith = ((HttpServletRequest) request).getHeader("X-Requested-With");
+        if("XMLHttpRequest".equals(requestedWith)) {
+            // container authentication normally relies on session attribute to
+            // remember where the user came from, so concurrent AJAX requests
+            // often ends up sending users back to AJAX pages after successful login.
+            // this is not desirable, so don't redirect AJAX requests to the user.
+            // this header value is sent from Prototype.
+            ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN);
+        } else {
+            super.commence(request, response, authException);
+        }
+    }
+
+    @Override
+    protected String determineUrlToUseForThisRequest(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) {
+         return getLoginFormUrl()+"?from="+request.getRequestURI();
+    }
+}

core/src/main/java/hudson/security/LegacySecurityRealm.java

@@ -11,6 +11,7 @@ import net.sf.json.JSONObject;
  * {@link SecurityRealm} that accepts {@link ContainerAuthentication} object
  * without any check (that is, by assuming that the such token is
  * already authenticated by the container.)
+ * 
  * @author Kohsuke Kawaguchi
  */
 public final class LegacySecurityRealm extends SecurityRealm implements AuthenticationManager {

war/resources/WEB-INF/security/SecurityFilters.groovy

@@ -3,21 +3,22 @@
 
     This file must define a servlet Filter instance with the name 'filter'
 */
+import hudson.security.AccessDeniedHandlerImpl
+import hudson.security.AuthenticationProcessingFilter2
+import hudson.security.BasicAuthenticationFilter
+import hudson.security.ChainedServletFilter
+import hudson.security.LegacyAuthenticationProcessingFilterEntryPoint
+import hudson.security.UnwrapSecurityExceptionFilter
+import org.acegisecurity.context.HttpSessionContextIntegrationFilter
 import org.acegisecurity.providers.anonymous.AnonymousProcessingFilter
 import org.acegisecurity.ui.ExceptionTranslationFilter
 import org.acegisecurity.ui.basicauth.BasicProcessingFilter
 import org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint
-import org.acegisecurity.context.HttpSessionContextIntegrationFilter
-import org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint
-import hudson.security.ChainedServletFilter
-import hudson.security.AccessDeniedHandlerImpl
-import hudson.security.BasicAuthenticationFilter
-import hudson.security.AuthenticationProcessingFilter2
-import hudson.security.UnwrapSecurityExceptionFilter
 import org.acegisecurity.ui.rememberme.RememberMeProcessingFilter
+import org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint
 
 // providers that apply to both patterns
-def commonProviders(redirectUrl) {
+def commonProviders(entryPointClass,redirectUrl) {
     return [
         bean(AnonymousProcessingFilter) {
             key = "anonymous" // must match with the AnonymousProvider
@@ -25,7 +26,7 @@ def commonProviders(redirectUrl) {
         },
         bean(ExceptionTranslationFilter) {
             accessDeniedHandler = new AccessDeniedHandlerImpl()
-            authenticationEntryPoint = bean(AuthenticationProcessingFilterEntryPoint) {
+            authenticationEntryPoint = bean(entryPointClass) {
                 loginFormUrl = redirectUrl;
             }
         },
@@ -60,7 +61,7 @@ filter(ChainedServletFilter) {
             defaultTargetUrl = "/"
             filterProcessesUrl = "/j_acegi_security_check"
         },
-    ] + commonProviders("/login")
+    ] + commonProviders(AuthenticationProcessingFilterEntryPoint.class,"/login")
 }
 
 // this filter set up is used to emulate the legacy Hudson behavior
@@ -68,7 +69,7 @@ filter(ChainedServletFilter) {
 legacy(ChainedServletFilter) {
     filters = [
         bean(BasicAuthenticationFilter)
-    ] + commonProviders("/loginEntry")
+    ] + commonProviders(LegacyAuthenticationProcessingFilterEntryPoint.class,"/loginEntry")
     // when using container-authentication we can't hit /login directly.
     // we first have to hit protected /loginEntry, then let the container
     // trap that into /login.