Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

hudson.security
Class HudsonPrivateSecurityRealm

java.lang.Object
  extended by hudson.model.AbstractDescribableImpl<SecurityRealm>
      extended by hudson.security.SecurityRealm
          extended by hudson.security.AbstractPasswordBasedSecurityRealm
              extended by hudson.security.HudsonPrivateSecurityRealm
All Implemented Interfaces:
ExtensionPoint, Describable<SecurityRealm>, ModelObject, AccessControlled, org.acegisecurity.userdetails.UserDetailsService
public class HudsonPrivateSecurityRealm
extends AbstractPasswordBasedSecurityRealm
implements ModelObject, AccessControlled

SecurityRealm that performs authentication by looking up User.

Implements AccessControlled to satisfy view rendering, but in reality the access control is done against the Jenkins object.

Author:
Kohsuke Kawaguchi

Nested Class Summary
static class HudsonPrivateSecurityRealm.DescriptorImpl
           
static class HudsonPrivateSecurityRealm.Details
          UserProperty that provides the UserDetails view of the User object.
static class HudsonPrivateSecurityRealm.ManageUserLinks
          Displays "manage users" link in the system config if HudsonPrivateSecurityRealm is in effect.
static class HudsonPrivateSecurityRealm.SignupInfo
           
 
Nested classes/interfaces inherited from class hudson.security.SecurityRealm
SecurityRealm.SecurityComponents
 
Nested classes/interfaces inherited from interface hudson.ExtensionPoint
ExtensionPoint.LegacyInstancesAreScopedToHudson
 
Field Summary
static org.acegisecurity.providers.encoding.PasswordEncoder PASSWORD_ENCODER
          Combines JBCRYPT_ENCODER and CLASSIC into one so that we can continue to accept CLASSIC format but new encoding will always done via JBCRYPT_ENCODER.
 
Fields inherited from class hudson.security.SecurityRealm
AUTHENTICATED_AUTHORITY, LIST, NO_AUTHENTICATION
 
Constructor Summary
HudsonPrivateSecurityRealm(boolean allowsSignup)
          Deprecated. 
HudsonPrivateSecurityRealm(boolean allowsSignup, boolean enableCaptcha, CaptchaSupport captchaSupport)
           
 
Method Summary
 boolean allowsSignup()
          Returns true if this SecurityRealm allows online sign-up.
protected  HudsonPrivateSecurityRealm.Details authenticate(String username, String password)
          Authenticate a login attempt.
 void checkPermission(Permission permission)
          Convenient short-cut for getACL().checkPermission(permission)
 org.kohsuke.stapler.HttpResponse commenceSignup(FederatedLoginService.FederatedIdentity identity)
          Show the sign up page with the data from the identity.
 User createAccount(String userName, String password)
          Creates a new user account by registering a password to the user.
 User doCreateAccount(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp)
          Creates an user account.
 void doCreateAccountByAdmin(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp)
          Creates an user account.
 User doCreateAccountWithFederatedIdentity(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp)
          Creates an account and associates that with the given identity.
 void doCreateFirstAccount(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp)
          Creates a first admin user account.
 ACL getACL()
          Obtains the ACL associated with this object.
 List<User> getAllUsers()
          All users who can login to the system.
 String getDisplayName()
          This is used primarily when the object is listed in the breadcrumb, in the user management screen.
 User getUser(String id)
          This is to map users under the security realm URL.
 boolean hasPermission(Permission permission)
          Convenient short-cut for getACL().hasPermission(permission)
 boolean isEnableCaptcha()
          Checks if captcha is enabled on user signup.
 GroupDetails loadGroupByGroupname(String groupname)
          This implementation doesn't support groups.
 HudsonPrivateSecurityRealm.Details loadUserByUsername(String username)
          Retrieves information about an user by its name.
 
Methods inherited from class hudson.security.AbstractPasswordBasedSecurityRealm
createCliAuthenticator, createSecurityComponents
 
Methods inherited from class hudson.security.SecurityRealm
all, canLogOut, createFilter, doCaptcha, doLogout, findBean, getAuthenticationGatewayUrl, getCaptchaSupport, getCaptchaSupportDescriptors, getDescriptor, getLoginUrl, getPostLogOutUrl, getSecurityComponents, setCaptchaSupport, validateCaptcha
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

PASSWORD_ENCODER

public static final org.acegisecurity.providers.encoding.PasswordEncoder PASSWORD_ENCODER
Combines JBCRYPT_ENCODER and CLASSIC into one so that we can continue to accept CLASSIC format but new encoding will always done via JBCRYPT_ENCODER.

Constructor Detail

HudsonPrivateSecurityRealm

@Deprecated
public HudsonPrivateSecurityRealm(boolean allowsSignup)
Deprecated. 

HudsonPrivateSecurityRealm

@DataBoundConstructor
public HudsonPrivateSecurityRealm(boolean allowsSignup,
                                                       boolean enableCaptcha,
                                                       CaptchaSupport captchaSupport)
Method Detail

allowsSignup

public boolean allowsSignup()
Description copied from class: SecurityRealm
Returns true if this SecurityRealm allows online sign-up. This creates a hyperlink that redirects users to CONTEXT_ROOT/signUp, which will be served by the signup.jelly view of this class.

If the implementation needs to redirect the user to a different URL for signing up, use the following jelly script as signup.jelly 


 <st:redirect url="http://www.sun.com/" xmlns:st="jelly:stapler"/>

Overrides:
allowsSignup in class SecurityRealm

isEnableCaptcha

public boolean isEnableCaptcha()
Checks if captcha is enabled on user signup.

Returns:
true if captcha is enabled on signup.

loadGroupByGroupname

public GroupDetails loadGroupByGroupname(String groupname)
                                  throws org.acegisecurity.userdetails.UsernameNotFoundException,
                                         org.springframework.dao.DataAccessException
This implementation doesn't support groups.

Specified by:
loadGroupByGroupname in class AbstractPasswordBasedSecurityRealm
Throws:
org.acegisecurity.userdetails.UsernameNotFoundException
org.springframework.dao.DataAccessException

loadUserByUsername

public HudsonPrivateSecurityRealm.Details loadUserByUsername(String username)
                                                      throws org.acegisecurity.userdetails.UsernameNotFoundException,
                                                             org.springframework.dao.DataAccessException
Description copied from class: AbstractPasswordBasedSecurityRealm
Retrieves information about an user by its name.

This method is used, for example, to validate if the given token is a valid user name when the user is configuring an ACL. This is an optional method that improves the user experience. If your backend doesn't support a query like this, just always throw UsernameNotFoundException.

Specified by:
loadUserByUsername in interface org.acegisecurity.userdetails.UserDetailsService
Specified by:
loadUserByUsername in class AbstractPasswordBasedSecurityRealm
Returns:
never null.
Throws:
org.acegisecurity.userdetails.UsernameNotFoundException
org.springframework.dao.DataAccessException

authenticate

protected HudsonPrivateSecurityRealm.Details authenticate(String username,
                                                          String password)
                                                   throws org.acegisecurity.AuthenticationException
Description copied from class: AbstractPasswordBasedSecurityRealm
Authenticate a login attempt. This method is the heart of a AbstractPasswordBasedSecurityRealm.

If the user name and the password pair matches, retrieve the information about this user and return it as a UserDetails object. User is a convenient implementation to use, but if your backend offers additional data, you may want to use your own subtype so that the rest of Hudson can use those additional information (such as e-mail address --- see MailAddressResolver.)

Properties like UserDetails.getPassword() make no sense, so just return an empty value from it. The only information that you need to pay real attention is UserDetails.getAuthorities(), which is a list of roles/groups that the user is in. At minimum, this must contain SecurityRealm.AUTHENTICATED_AUTHORITY (which indicates that this user is authenticated and not anonymous), but if your backend supports a notion of groups, you should make sure that the authorities contain one entry per one group. This enables users to control authorization based on groups.

If the user name and the password pair doesn't match, throw AuthenticationException to reject the login attempt.

Specified by:
authenticate in class AbstractPasswordBasedSecurityRealm
Throws:
org.acegisecurity.AuthenticationException

commenceSignup

public org.kohsuke.stapler.HttpResponse commenceSignup(FederatedLoginService.FederatedIdentity identity)
Show the sign up page with the data from the identity.

Overrides:
commenceSignup in class SecurityRealm

doCreateAccountWithFederatedIdentity

public User doCreateAccountWithFederatedIdentity(org.kohsuke.stapler.StaplerRequest req,
                                                 org.kohsuke.stapler.StaplerResponse rsp)
                                          throws IOException,
                                                 javax.servlet.ServletException
Creates an account and associates that with the given identity. Used in conjunction with #commenceSignup(FederatedIdentity).

Throws:
IOException
javax.servlet.ServletException

doCreateAccount

public User doCreateAccount(org.kohsuke.stapler.StaplerRequest req,
                            org.kohsuke.stapler.StaplerResponse rsp)
                     throws IOException,
                            javax.servlet.ServletException
Creates an user account. Used for self-registration.

Throws:
IOException
javax.servlet.ServletException

doCreateAccountByAdmin

public void doCreateAccountByAdmin(org.kohsuke.stapler.StaplerRequest req,
                                   org.kohsuke.stapler.StaplerResponse rsp)
                            throws IOException,
                                   javax.servlet.ServletException
Creates an user account. Used by admins. This version behaves differently from doCreateAccount(StaplerRequest, StaplerResponse) in that this is someone creating another user.

Throws:
IOException
javax.servlet.ServletException

doCreateFirstAccount

public void doCreateFirstAccount(org.kohsuke.stapler.StaplerRequest req,
                                 org.kohsuke.stapler.StaplerResponse rsp)
                          throws IOException,
                                 javax.servlet.ServletException
Creates a first admin user account.

This can be run by anyone, but only to create the very first user account.

Throws:
IOException
javax.servlet.ServletException

createAccount

public User createAccount(String userName,
                          String password)
                   throws IOException
Creates a new user account by registering a password to the user.

Throws:
IOException

getDisplayName

public String getDisplayName()
This is used primarily when the object is listed in the breadcrumb, in the user management screen.

Specified by:
getDisplayName in interface ModelObject

getACL

public ACL getACL()
Description copied from interface: AccessControlled
Obtains the ACL associated with this object.

Specified by:
getACL in interface AccessControlled
Returns:
never null.

checkPermission

public void checkPermission(Permission permission)
Description copied from interface: AccessControlled
Convenient short-cut for getACL().checkPermission(permission)

Specified by:
checkPermission in interface AccessControlled

hasPermission

public boolean hasPermission(Permission permission)
Description copied from interface: AccessControlled
Convenient short-cut for getACL().hasPermission(permission)

Specified by:
hasPermission in interface AccessControlled

getAllUsers

public List<User> getAllUsers()
All users who can login to the system.

getUser

public User getUser(String id)
This is to map users under the security realm URL. This in turn helps us set up the right navigation breadcrumb.

Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2004-2013. All Rights Reserved.