Package hudson.security

Class BasicAuthenticationFilter

java.lang.Object

hudson.security.BasicAuthenticationFilter

All Implemented Interfaces:

javax.servlet.Filter

public class BasicAuthenticationFilter
extends Object
implements javax.servlet.Filter

Implements the dual authentication mechanism.

Jenkins supports both the HTTP basic authentication and the form-based authentication. The former is for scripted clients, and the latter is for humans. Unfortunately, because the servlet spec does not allow us to programmatically authenticate users, we need to rely on some hack to make it work, and this is the class that implements that hack.

When an HTTP request arrives with an HTTP basic auth header, this filter detects that and emulate an invocation of /j_security_check (see this page for the original technique.)

This causes the container to perform authentication, but there's no way to find out whether the user has been successfully authenticated or not. So to find this out, we then redirect the user to /secured/... page.

The handler of the above URL checks if the user is authenticated, and if not report an HTTP error code. Otherwise the user is redirected back to the original URL, where the request is served.

So all in all, the redirection works like /abc/def → /secured/abc/def → /abc/def.

Notes

• The technique of getting a request dispatcher for /j_security_check may not work for all containers, but so far that seems like the only way to make this work.
• This A → B → A redirect is a cyclic redirection, so we need to watch out for clients that detect this as an error.

Author:

Kohsuke Kawaguchi

Constructor Summary

Constructors

Constructor	Description
BasicAuthenticationFilter()

Method Summary

Modifier and Type	Method	Description
void	destroy()
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
void	init(javax.servlet.FilterConfig filterConfig)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

BasicAuthenticationFilter

public BasicAuthenticationFilter()

Method Details

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest request,
 javax.servlet.ServletResponse response,
 javax.servlet.FilterChain chain)
              throws IOException,
javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

IOException

javax.servlet.ServletException

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter