Package jenkins.security

Interface SecureRequester

All Superinterfaces:

ExtensionPoint

All Known Implementing Classes:

SecureRequester.Default

public interface SecureRequester
extends ExtensionPoint

An extension point for authorizing REST API access to an object where an unsafe result type would be produced. Both JSONP and XPath with primitive result sets are considered unsafe due to CSRF attacks. A default implementation allows requests if a deprecated system property is set, or if Jenkins is unsecured anyway, but plugins may offer implementations which authorize scripted clients, requests from inside a trusted domain, etc.

Since:

1.537

See Also:

• Api

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static class	SecureRequester.Default

Nested classes/interfaces inherited from interface hudson.ExtensionPoint

ExtensionPoint.LegacyInstancesAreScopedToHudson

Method Summary

Modifier and Type	Method	Description
default boolean	permit(org.kohsuke.stapler.StaplerRequest2 req, Object bean)	Checks if a Jenkins object can be accessed by a given REST request.
default boolean	permit(org.kohsuke.stapler.StaplerRequest req, Object bean)	Deprecated. use permit(StaplerRequest2, Object)

Method Details

permit

@StaplerNotDispatchable
default boolean permit(org.kohsuke.stapler.StaplerRequest2 req,
 Object bean)

Checks if a Jenkins object can be accessed by a given REST request. For instance, if the StaplerRequest2.getReferer() matches a given host, or anonymous read is allowed for the given object.

Parameters:

req - a request going through the REST API

bean - an exported object of some kind

Returns:

true if this requester should be trusted, false to reject

permit

@Deprecated
@StaplerNotDispatchable
default boolean permit(org.kohsuke.stapler.StaplerRequest req,
 Object bean)

Deprecated.

use permit(StaplerRequest2, Object)