Interface SecureRequester

  • All Superinterfaces:
    ExtensionPoint
    All Known Implementing Classes:
    SecureRequester.Default

    public interface SecureRequester
    extends ExtensionPoint
    An extension point for authorizing REST API access to an object where an unsafe result type would be produced. Both JSONP and XPath with primitive result sets are considered unsafe due to CSRF attacks. A default implementation allows requests if a deprecated system property is set, or if Jenkins is unsecured anyway, but plugins may offer implementations which authorize scripted clients, requests from inside a trusted domain, etc.
    Since:
    1.537
    See Also:
    Api
    • Method Detail

      • permit

        boolean permit​(org.kohsuke.stapler.StaplerRequest req,
                       Object bean)
        Checks if a Jenkins object can be accessed by a given REST request. For instance, if the StaplerRequest.getReferer() matches a given host, or anonymous read is allowed for the given object.
        Parameters:
        req - a request going through the REST API
        bean - an exported object of some kind
        Returns:
        true if this requester should be trusted, false to reject