Skip to content

J
jenkins

xxadev / jenkins
与 Fork 源项目一致

从无法访问的项目Fork

通知 3
Star 0
Fork 0
J
jenkins

体验新版 GitCode,发现更多精彩内容 >>

提交 2d9dec95 编写于 作者: D Daniel Beck
浏览文件
操作

[JENKINS-15757] Ignore 'remember me' if disabled in configuration 

The previous implementation of 'disable remember me' just removes the
checkbox from the UI. Users still can set the parameter using a web
browser extension, or patch the login page using a Greasemonkey script
and keep using the feature. And just after the feature is enabled, users
still might be able to use it if they loaded the login page early.

This change prevents that by checking the current configuration and, if
'remember me' is disabled, ignoring any headers set.
上级 ea85489a
隐藏空白更改
内联 并排
Showing with 11 addition and 0 deletion
core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
浏览文件 @ 2d9dec95
......@@ -28,6 +28,7 @@ import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jenkins.model.Jenkins;
import jenkins.security.HMACConfidentialKey;
import org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices;
import org.acegisecurity.userdetails.UserDetails;
......@@ -71,6 +72,16 @@ public class TokenBasedRememberMeServices2 extends TokenBasedRememberMeServices
return;
}
Jenkins j = Jenkins.getInstance();
if (j != null && j.isDisableRememberMe()) {
if (logger.isDebugEnabled()) {
logger.debug("Did not send remember-me cookie because 'Remember Me' is disabled in " +
"security configuration (principal did set parameter '" + getParameter() + "')");
}
// XXX log warning when receiving remember-me request despite the feature being disabled?
return;
}
Assert.notNull(successfulAuthentication.getPrincipal());
Assert.notNull(successfulAuthentication.getCredentials());
Assert.isInstanceOf(UserDetails.class, successfulAuthentication.getPrincipal());
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册