Class BasicAuthenticationFilter

java.lang.Object
hudson.security.BasicAuthenticationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.kohsuke.stapler.CompatibleFilter

public class BasicAuthenticationFilter extends Object implements org.kohsuke.stapler.CompatibleFilter
Implements the dual authentication mechanism.

Jenkins supports both the HTTP basic authentication and the form-based authentication. The former is for scripted clients, and the latter is for humans. Unfortunately, because the servlet spec does not allow us to programmatically authenticate users, we need to rely on some hack to make it work, and this is the class that implements that hack.

When an HTTP request arrives with an HTTP basic auth header, this filter detects that and emulate an invocation of /j_security_check (see this page for the original technique.)

This causes the container to perform authentication, but there's no way to find out whether the user has been successfully authenticated or not. So to find this out, we then redirect the user to /secured/... page.

The handler of the above URL checks if the user is authenticated, and if not report an HTTP error code. Otherwise the user is redirected back to the original URL, where the request is served.

So all in all, the redirection works like /abc/def/secured/abc/def/abc/def.

Notes

  • The technique of getting a request dispatcher for /j_security_check may not work for all containers, but so far that seems like the only way to make this work.
  • This A → B → A redirect is a cyclic redirection, so we need to watch out for clients that detect this as an error.
Author:
Kohsuke Kawaguchi
  • Constructor Summary

    Constructors
    Constructor
    Description
     
  • Method Summary

    Modifier and Type
    Method
    Description
    void
     
    void
    doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain)
     
    void
    init(jakarta.servlet.FilterConfig filterConfig)
     

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface org.kohsuke.stapler.CompatibleFilter

    doFilter, init
  • Constructor Details

    • BasicAuthenticationFilter

      public BasicAuthenticationFilter()
  • Method Details

    • init

      public void init(jakarta.servlet.FilterConfig filterConfig) throws jakarta.servlet.ServletException
      Specified by:
      init in interface jakarta.servlet.Filter
      Throws:
      jakarta.servlet.ServletException
    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Specified by:
      doFilter in interface jakarta.servlet.Filter
      Throws:
      IOException
      jakarta.servlet.ServletException
    • destroy

      public void destroy()
      Specified by:
      destroy in interface jakarta.servlet.Filter