Class BasicHeaderProcessor

java.lang.Object
jenkins.security.BasicHeaderProcessor
All Implemented Interfaces:
jakarta.servlet.Filter, org.kohsuke.stapler.CompatibleFilter
Direct Known Subclasses:
ApiTokenFilter

@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public class BasicHeaderProcessor extends Object implements org.kohsuke.stapler.CompatibleFilter
Takes "username:password" given in the Authorization HTTP header and authenticates the request.

Implementations of BasicHeaderAuthenticator includes one that accepts the real password, then one that checks the user's API token. We call them all from a single Filter like this, as opposed to using a list of Filters, so that multiple filters don't end up trying to authenticate the same header differently and fail.

Author:
Kohsuke Kawaguchi
  • Constructor Summary

    Constructors
    Constructor
    Description
     
  • Method Summary

    Modifier and Type
    Method
    Description
    protected List<? extends BasicHeaderAuthenticator>
    all()
     
    protected boolean
    If the request is already authenticated to the same user that the Authorization header claims, for example through the HTTP session, then there's no need to re-authenticate the Authorization header, so we skip that.
    void
     
    void
    doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain)
     
    protected void
    fail(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse rsp, org.springframework.security.authentication.BadCredentialsException failure)
     
    void
    init(jakarta.servlet.FilterConfig filterConfig)
     
    void
    setAuthenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint)
     
    void
    setRememberMeServices(org.springframework.security.web.authentication.RememberMeServices rememberMeServices)
     
    protected void
    success(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse rsp, jakarta.servlet.FilterChain chain, org.springframework.security.core.Authentication auth)
     

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface org.kohsuke.stapler.CompatibleFilter

    doFilter, init
  • Constructor Details

    • BasicHeaderProcessor

      public BasicHeaderProcessor()
  • Method Details

    • init

      public void init(jakarta.servlet.FilterConfig filterConfig) throws jakarta.servlet.ServletException
      Specified by:
      init in interface jakarta.servlet.Filter
      Throws:
      jakarta.servlet.ServletException
    • setAuthenticationEntryPoint

      public void setAuthenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint authenticationEntryPoint)
    • setRememberMeServices

      public void setRememberMeServices(org.springframework.security.web.authentication.RememberMeServices rememberMeServices)
    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Specified by:
      doFilter in interface jakarta.servlet.Filter
      Throws:
      IOException
      jakarta.servlet.ServletException
    • authenticationIsRequired

      protected boolean authenticationIsRequired(String username)
      If the request is already authenticated to the same user that the Authorization header claims, for example through the HTTP session, then there's no need to re-authenticate the Authorization header, so we skip that. This avoids stressing SecurityRealm. This method returns false if we can take this short-cut.
    • success

      protected void success(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse rsp, jakarta.servlet.FilterChain chain, org.springframework.security.core.Authentication auth) throws IOException, jakarta.servlet.ServletException
      Throws:
      IOException
      jakarta.servlet.ServletException
    • fail

      protected void fail(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse rsp, org.springframework.security.authentication.BadCredentialsException failure) throws IOException, jakarta.servlet.ServletException
      Throws:
      IOException
      jakarta.servlet.ServletException
    • all

      protected List<? extends BasicHeaderAuthenticator> all()
    • destroy

      public void destroy()
      Specified by:
      destroy in interface jakarta.servlet.Filter