Package org.jenkinsci.plugins.saml
Class SamlSecurityRealm
- java.lang.Object
-
- hudson.model.AbstractDescribableImpl<SecurityRealm>
-
- hudson.security.SecurityRealm
-
- org.jenkinsci.plugins.saml.SamlSecurityRealm
-
- All Implemented Interfaces:
ExtensionPoint
,Describable<SecurityRealm>
public class SamlSecurityRealm extends SecurityRealm
Authenticates the user via SAML. This class is the main entry point to the plugin. Uses Stapler (stapler.kohsuke.org) to bind methods to URLs.- See Also:
SecurityRealm
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SamlSecurityRealm.DescriptorImpl
-
Nested classes/interfaces inherited from class hudson.security.SecurityRealm
SecurityRealm.SecurityComponents
-
Nested classes/interfaces inherited from interface hudson.ExtensionPoint
ExtensionPoint.LegacyInstancesAreScopedToHudson
-
-
Field Summary
-
Fields inherited from class hudson.security.SecurityRealm
AUTHENTICATED_AUTHORITY, AUTHENTICATED_AUTHORITY2, LIST, NO_AUTHENTICATION
-
-
Constructor Summary
Constructors Constructor Description SamlSecurityRealm(IdpMetadataConfiguration idpMetadataConfiguration, String displayNameAttributeName, String groupsAttributeName, Integer maximumAuthenticationLifetime, String usernameAttributeName, String emailAttributeName, String logoutUrl, SamlAdvancedConfiguration advancedConfiguration, SamlEncryptionData encryptionData, String usernameCaseConversion, String binding, List<AttributeEntry> samlCustomAttributes)
Jenkins passes these parameters in when you update the settings.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
allowsSignup()
SecurityRealm.SecurityComponents
createSecurityComponents()
org.kohsuke.stapler.HttpResponse
doCommenceLogin(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response, String from, String referer)
/securityRealm/commenceLoginorg.kohsuke.stapler.HttpResponse
doFinishLogin(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response)
/securityRealm/finishLoginvoid
doLogout(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp)
org.kohsuke.stapler.HttpResponse
doMetadata(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response)
/securityRealm/metadataSamlAdvancedConfiguration
getAdvancedConfiguration()
String
getBinding()
String
getDisplayNameAttributeName()
String
getEmailAttributeName()
SamlEncryptionData
getEncryptionData()
String
getGroupsAttributeName()
IdpMetadataConfiguration
getIdpMetadataConfiguration()
String
getLoginUrl()
String
getLogoutUrl()
Integer
getMaximumAuthenticationLifetime()
protected String
getPostLogOutUrl(org.kohsuke.stapler.StaplerRequest req, Authentication auth)
List<AttributeEntry>
getSamlCustomAttributes()
SamlPluginConfig
getSamlPluginConfig()
String
getUsernameAttributeName()
String
getUsernameCaseConversion()
GroupDetails
loadGroupByGroupname2(String groupname, boolean fetchMembers)
This method is overwritten due to SAML has no way to retrieve the members of a Group and this cause issues on some Authorization plugins.Object
readResolve()
void
setSamlCustomAttribute(List<AttributeEntry> samlCustomAttributes)
String
toString()
-
Methods inherited from class hudson.security.SecurityRealm
all, canLogOut, commenceSignup, commonFilters, createCliAuthenticator, createFilter, doCaptcha, getAuthenticationGatewayUrl, getCaptchaSupport, getCaptchaSupportDescriptors, getDescriptor, getFrom, getGroupIdStrategy, getPostLogOutUrl2, getSecurityComponents, getUserIdStrategy, loadGroupByGroupname, loadGroupByGroupname, loadUserByUsername, loadUserByUsername2, setCaptchaSupport, validateCaptcha
-
-
-
-
Field Detail
-
DEFAULT_DISPLAY_NAME_ATTRIBUTE_NAME
public static final String DEFAULT_DISPLAY_NAME_ATTRIBUTE_NAME
- See Also:
- Constant Field Values
-
DEFAULT_GROUPS_ATTRIBUTE_NAME
public static final String DEFAULT_GROUPS_ATTRIBUTE_NAME
- See Also:
- Constant Field Values
-
DEFAULT_MAXIMUM_AUTHENTICATION_LIFETIME
public static final int DEFAULT_MAXIMUM_AUTHENTICATION_LIFETIME
- See Also:
- Constant Field Values
-
DEFAULT_USERNAME_CASE_CONVERSION
public static final String DEFAULT_USERNAME_CASE_CONVERSION
- See Also:
- Constant Field Values
-
SP_METADATA_FILE_NAME
public static final String SP_METADATA_FILE_NAME
- See Also:
- Constant Field Values
-
IDP_METADATA_FILE_NAME
public static final String IDP_METADATA_FILE_NAME
- See Also:
- Constant Field Values
-
ERROR_ONLY_SPACES_FIELD_VALUE
public static final String ERROR_ONLY_SPACES_FIELD_VALUE
form validation messages.- See Also:
- Constant Field Values
-
ERROR_NOT_VALID_NUMBER
public static final String ERROR_NOT_VALID_NUMBER
- See Also:
- Constant Field Values
-
ERROR_MALFORMED_URL
public static final String ERROR_MALFORMED_URL
- See Also:
- Constant Field Values
-
ERROR_IDP_METADATA_EMPTY
public static final String ERROR_IDP_METADATA_EMPTY
- See Also:
- Constant Field Values
-
WARN_RECOMMENDED_TO_SET_THE_GROUPS_ATTRIBUTE
public static final String WARN_RECOMMENDED_TO_SET_THE_GROUPS_ATTRIBUTE
- See Also:
- Constant Field Values
-
WARN_RECOMMENDED_TO_SET_THE_USERNAME_ATTRIBUTE
public static final String WARN_RECOMMENDED_TO_SET_THE_USERNAME_ATTRIBUTE
- See Also:
- Constant Field Values
-
WARN_RECOMMENDED_TO_SET_THE_EMAIL_ATTRIBUTE
public static final String WARN_RECOMMENDED_TO_SET_THE_EMAIL_ATTRIBUTE
- See Also:
- Constant Field Values
-
ERROR_NOT_POSSIBLE_TO_READ_KS_FILE
public static final String ERROR_NOT_POSSIBLE_TO_READ_KS_FILE
- See Also:
- Constant Field Values
-
ERROR_CERTIFICATES_COULD_NOT_BE_LOADED
public static final String ERROR_CERTIFICATES_COULD_NOT_BE_LOADED
- See Also:
- Constant Field Values
-
ERROR_ALGORITHM_CANNOT_BE_FOUND
public static final String ERROR_ALGORITHM_CANNOT_BE_FOUND
- See Also:
- Constant Field Values
-
ERROR_NO_PROVIDER_SUPPORTS_A_KS_SPI_IMPL
public static final String ERROR_NO_PROVIDER_SUPPORTS_A_KS_SPI_IMPL
- See Also:
- Constant Field Values
-
ERROR_WRONG_INFO_OR_PASSWORD
public static final String ERROR_WRONG_INFO_OR_PASSWORD
- See Also:
- Constant Field Values
-
ERROR_INSUFFICIENT_OR_INVALID_INFO
public static final String ERROR_INSUFFICIENT_OR_INVALID_INFO
- See Also:
- Constant Field Values
-
CONSUMER_SERVICE_URL_PATH
public static final String CONSUMER_SERVICE_URL_PATH
URL to process the SAML answers- See Also:
- Constant Field Values
-
WARN_THERE_IS_NOT_KEY_STORE
public static final String WARN_THERE_IS_NOT_KEY_STORE
- See Also:
- Constant Field Values
-
ERROR_NOT_KEY_FOUND
public static final String ERROR_NOT_KEY_FOUND
- See Also:
- Constant Field Values
-
SUCCESS
public static final String SUCCESS
- See Also:
- Constant Field Values
-
NOT_POSSIBLE_TO_GET_THE_METADATA
public static final String NOT_POSSIBLE_TO_GET_THE_METADATA
- See Also:
- Constant Field Values
-
CHECK_TROUBLESHOOTING_GUIDE
public static final String CHECK_TROUBLESHOOTING_GUIDE
- See Also:
- Constant Field Values
-
CHECK_MAX_AUTH_LIFETIME
public static final String CHECK_MAX_AUTH_LIFETIME
- See Also:
- Constant Field Values
-
WARN_KEYSTORE_NOT_SET
public static final String WARN_KEYSTORE_NOT_SET
- See Also:
- Constant Field Values
-
WARN_PRIVATE_KEY_ALIAS_NOT_SET
public static final String WARN_PRIVATE_KEY_ALIAS_NOT_SET
- See Also:
- Constant Field Values
-
WARN_PRIVATE_KEYSTORE_PASS_NOT_SET
public static final String WARN_PRIVATE_KEYSTORE_PASS_NOT_SET
- See Also:
- Constant Field Values
-
WARN_PRIVATE_KEY_PASS_NOT_SET
public static final String WARN_PRIVATE_KEY_PASS_NOT_SET
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
SamlSecurityRealm
@DataBoundConstructor public SamlSecurityRealm(IdpMetadataConfiguration idpMetadataConfiguration, String displayNameAttributeName, String groupsAttributeName, Integer maximumAuthenticationLifetime, String usernameAttributeName, String emailAttributeName, String logoutUrl, SamlAdvancedConfiguration advancedConfiguration, SamlEncryptionData encryptionData, String usernameCaseConversion, String binding, List<AttributeEntry> samlCustomAttributes) throws IOException
Jenkins passes these parameters in when you update the settings. It does this because of the @DataBoundConstructor.- Parameters:
idpMetadataConfiguration
- How to obtain the IdP Metadata configuration.displayNameAttributeName
- attribute that has the displaynamegroupsAttributeName
- attribute that has the groupsmaximumAuthenticationLifetime
- maximum time that an identification it is validusernameAttributeName
- attribute that has the usernameemailAttributeName
- attribute that has the emaillogoutUrl
- optional URL to redirect on logoutadvancedConfiguration
- advanced configuration settingsencryptionData
- encryption configuration settingsusernameCaseConversion
- username case sensitive settingsbinding
- SAML binding method.samlCustomAttributes
- Custom Attributes to read from the SAML Responsse.- Throws:
IOException
- if it is not possible to write the IdP metadata file.
-
-
Method Detail
-
readResolve
public Object readResolve()
-
allowsSignup
public boolean allowsSignup()
- Overrides:
allowsSignup
in classSecurityRealm
-
createSecurityComponents
public SecurityRealm.SecurityComponents createSecurityComponents()
- Specified by:
createSecurityComponents
in classSecurityRealm
-
getLoginUrl
public String getLoginUrl()
- Overrides:
getLoginUrl
in classSecurityRealm
-
doCommenceLogin
public org.kohsuke.stapler.HttpResponse doCommenceLogin(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response, @QueryParameter String from, @Header("Referer") String referer)
/securityRealm/commenceLogin- Parameters:
request
- http request.response
- http response.referer
- referer.from
- http request "from" parameter.- Returns:
- the http response.
-
doFinishLogin
public org.kohsuke.stapler.HttpResponse doFinishLogin(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response)
/securityRealm/finishLogin- Parameters:
request
- http request.response
- http response.- Returns:
- the http response.
-
doMetadata
public org.kohsuke.stapler.HttpResponse doMetadata(org.kohsuke.stapler.StaplerRequest request, org.kohsuke.stapler.StaplerResponse response)
/securityRealm/metadataURL request service method to expose the SP metadata to the user so that they can configure their IdP.
- Parameters:
request
- http request.response
- http response.- Returns:
- the http response.
-
getPostLogOutUrl
protected String getPostLogOutUrl(org.kohsuke.stapler.StaplerRequest req, @NonNull Authentication auth)
-
doLogout
public void doLogout(org.kohsuke.stapler.StaplerRequest req, org.kohsuke.stapler.StaplerResponse rsp) throws IOException, javax.servlet.ServletException
- Overrides:
doLogout
in classSecurityRealm
- Throws:
IOException
javax.servlet.ServletException
-
loadGroupByGroupname2
public GroupDetails loadGroupByGroupname2(String groupname, boolean fetchMembers) throws org.springframework.security.core.userdetails.UsernameNotFoundException
This method is overwritten due to SAML has no way to retrieve the members of a Group and this cause issues on some Authorization plugins. Because of that we have to implement SamlGroupDetails- Overrides:
loadGroupByGroupname2
in classSecurityRealm
- Throws:
org.springframework.security.core.userdetails.UsernameNotFoundException
-
getSamlPluginConfig
public SamlPluginConfig getSamlPluginConfig()
- Returns:
- plugin configuration parameters.
-
getUsernameAttributeName
public String getUsernameAttributeName()
-
getDisplayNameAttributeName
public String getDisplayNameAttributeName()
-
getGroupsAttributeName
public String getGroupsAttributeName()
-
getMaximumAuthenticationLifetime
public Integer getMaximumAuthenticationLifetime()
-
getAdvancedConfiguration
public SamlAdvancedConfiguration getAdvancedConfiguration()
-
getBinding
public String getBinding()
-
getEncryptionData
public SamlEncryptionData getEncryptionData()
-
getUsernameCaseConversion
public String getUsernameCaseConversion()
-
getEmailAttributeName
public String getEmailAttributeName()
-
getLogoutUrl
public String getLogoutUrl()
-
getIdpMetadataConfiguration
public IdpMetadataConfiguration getIdpMetadataConfiguration()
-
getSamlCustomAttributes
@NonNull public List<AttributeEntry> getSamlCustomAttributes()
-
setSamlCustomAttribute
public void setSamlCustomAttribute(List<AttributeEntry> samlCustomAttributes)
-
-