-
-
Save bdpiprava/8bb89afb42d9f2fa8cc1493f1523035b to your computer and use it in GitHub Desktop.
-> [ | |
- /cctray.xml - createSession(5 min) | |
- /api/** - createSession(5 min) | |
- /** - createSession(perpetual) | |
] | |
-> authFilter | |
[ | |
- /remoting/** - x509AuthFilter | |
- /cctray.xml - apiAuthFilter | |
- /api/** - apiAuthFilter | |
- /** - authFilter | |
] | |
-> | |
[ | |
- /cctray.xml - session timeout | |
- /api/** - session timeout | |
] | |
-> | |
[ | |
- / | |
] | |
- SessionCreateFilter | |
- create session if not present already | |
- AuthenticationFilter | |
- check if there is an "authentication(principal, credentials, ...)" in the current session | |
- check if basic auth credentials provided, and do what SessionController#login does | |
- does re-authentication (after an interval) | |
- if x509 cert is present — extract cert and extract the CN and put it in the authentication object in the session | |
- if oauth.... | |
- if there no authentication: | |
- for api calls (via ajax): no challenge | |
- for api calls (without ajax, curl, or some other means): challenge | |
- everything else: redirect to login page, after remembering the request url in the session. | |
- ApplyAuthorityForCurrentUser | |
- `filterInvocationInterceptor` from acegi.xml | |
- FilterChain (from acegi) | |
- SessionController: | |
`GET /login` — show the login page that submits to `/login` | |
`POST /login` — username/pass authentication — goes to the plugin(s) to authenticate, and puts an authentication object in a new session, and redirect to `/` (or last remembered url) | |
`/logout` - clears the session | |
`/plugin/*/authenticate` - goes to the plugin to perform web based authentication, and puts an authentication object in a new session | |
A -> created -> form login -> | |
B -> created -> baisc auth -> create authentication -> filter chanin | |
---------------------- | |
TODO | |
====== | |
loginName on `GoPrincipalUser`, and NewPluginAuthenticationProvider#authenticate |
The new implementation of spring security is a collection of the filter chain. The entry point for this is defined in web.xml
<filter>
<filter-name>mainFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>mainFilterChain</param-value>
</init-param>
</filter>
...
<filter-mapping>
<filter-name>mainFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
MainFilterChain
The main filter chain is a collection of filter chain and global filters.
-
ModeAwareFilter: This filter is to block incoming
POST
,PUT
,PATCH
orDELETE
request when a server is running in passive mode -
CreateSessionFilterChain: This filter chain contains 2 filters -
Name Description AlwaysCreateSessionFilter Filter will create a new session if one not exist ApiSessionReduceIdleTimeoutFilter This is to reduce MaxInActiveInterval
on session for/api/*
,/cctray.xml
. -
LocaleResolver: Setup the locale for the request
-
RememberLastRequestUrlFilterChain: The filter remembers the last requested url(
GET
andHEAD
only) except following URLs/cctray.xml
/api/*
/remoting/**
/agent-websocket/**
/auth/**
/plugin/*/authenticate
/plugin/*/login
/assets/**
/server/messages.json
-
AuthenticationFilterChain: The authentication filter chain contains a list of URLs and authentication filter for the URL.
It also contains some additional filters that applies before authentication filter such as -InvalidateAuthenticationOnSecurityConfigChangeFilter
andReAuthenticationFilter
-
X509AuthenticationFilter
: This is to perform authentication using X509 certificate provided by the agent. -
InvalidateAuthenticationOnSecurityConfigChangeFilter
: Invalidates authentication token for all user's when security config is changed. -
ReAuthenticationWithRedirectToLoginPage
: Performs re-authentication using existingAuthenticationToken
when token is not valid or expired. On success, the filter will update the existingAuthenticationToken
and continues to next filter in the chain. On failure, it will redirect the user to/go/auth/login
page. -
ReAuthenticationWithChallenge
: Performs re-authentication using existingAuthenticationToken
when a token is not valid or expired. On success, the filter will update the existingAuthenticationToken
and continues to next filter in the chain. On failure, it will prepare a response as follow -- Show challenge(
WWW-Authenticate
) when security is enabled and request is api request but not an Ajax request - Set response status to
401
- Set
Content-Type
based on requestAccept
header - Generate access denied message(
json or xml
) based onAccept
header
- Show challenge(
-
BasicAuthenticationWithChallengeFilter
: Performs the authentication if a request is not authenticated andBASIC
auth credentials are provided in the request. -
ReAuthenticationWithRedirectToLoginPage
: Performs the authentication if a request is not authenticated andBASIC
auth credentials are provided in the request.
Ant url patter | Filters |
---|---|
/remoting/** |
X509AuthenticationFilter |
/agent-websocket/** |
x509AuthenticationFilter |
/add-on/*/api/** |
InvalidateAuthenticationOnSecurityConfigChangeFilter , ReAuthenticationWithRedirectToLoginPage andOauthAuthenticationFilter |
/api/config-repository.git/** |
InvalidateAuthenticationOnSecurityConfigChangeFilter , ReAuthenticationWithChallenge and BasicAuthenticationWithChallengeFilter |
/cctray.xml |
InvalidateAuthenticationOnSecurityConfigChangeFilter , ReAuthenticationWithChallenge and BasicAuthenticationWithChallengeFilter |
/api/** |
InvalidateAuthenticationOnSecurityConfigChangeFilter , ReAuthenticationWithChallenge and BasicAuthenticationWithChallengeFilter |
/api/version |
InvalidateAuthenticationOnSecurityConfigChangeFilter , ReAuthenticationWithRedirectToLoginPage and BasicAuthenticationWithRedirectToLoginFilter |
auth/* |
This url is open for all hence, NoOpFilter will applied to it. |
/plugin/*/login |
This url is open for all hence, NoOpFilter will applied to it. |
/plugin/*/authenticate |
This url is open for all hence, NoOpFilter will applied to it. |
/** |
InvalidateAuthenticationOnSecurityConfigChangeFilter , ReAuthenticationWithRedirectToLoginPage and BasicAuthenticationWithRedirectToLoginFilter |
- AssumeAnonymousUserFilter: When
AuthenticationFilterChain
fails to authenticate request the filter will authenticate using anonymous authentication token. - ThreadLocalUserFilter: This will update the user in ThreadLocal for application use and at after serving request it will remove the user from ThreadLocal.
- AuthorizeFilterChain: The filter chain contains mappings of URLs to required authority to access the URL.
It also usesResponseHandler
to generate access denied message based on the request. - DenyGoCDAccessForArtifactsFilterChain: It will block GoCD access from artifacts.
- ArtifactSizeEnforcementFilterChain: The filter will check if enough disk space available while uploading artifact. The filter applies to
/files/**
and/remoting/files/**
- FlashLoadingFilter: Load the flash from the session and add it to thread local.
The new implementation of spring security is a collection of filter chain. The entry point for this is defined in
web.xml
MainFilterChain
The main filter chain is a collection of filter chain and globle filters.
POST
,PUT
,PATCH
orDELETE
request when server is running in passive modeMaxInActiveInterval
on session for/api/*
,/cctray.xml
.Agent remoting filter chain:
AgentRemotingFilterChain
:ModeAwareFilter
,ArtifactSizeEnforcementFilter
,LocaleResolver
,HttpSessionContextIntegrationFilter
,X509AuthenticationFilter
, AuthorizeAgentFilterChain,UrlRewriteFilter
ModeAwareFilter
,ArtifactSizeEnforcementFilter
,LocaleResolver
,HttpSessionContextIntegrationFilter
,X509AuthenticationFilter
,AuthorizeAgentFilterChain
AuthorizeAgentFilterChain:
VerifyAuthorityFilter
VerifyAuthorityFilter
VerifyAuthorityFilter
VerifyAuthorityFilter
DenyAllAccessFilter
Filter chain to create a session for the request:
SessionCreateFilterChain
:ApiSessionReduceIdleTimeoutFilter
,AlwaysCreateSessionFilter
ApiSessionReduceIdleTimeoutFilter
,AlwaysCreateSessionFilter
AlwaysCreateSessionFilter
-> authFilter
[
- /remoting/** - x509AuthFilter
- /cctray.xml - apiAuthFilter (basic auth with chanllenge, basic auth with redirect or 403)
- /api/** - apiAuthFilter (basic auth with chanllenge, basic auth with redirect or 403)
- /** - authFilter (basic auth with redirect or 403, AnonymousFilter -> go/auth/login)
]
-> authorizeFilterChain
[
- /remoting/** - agentAuthorizeFilterChain
- /cctray.xml - apiAuthorizeFilterChain
- /api/** - apiAuthorizeFilterChain
- /** - everythingElse
]
-> agentAuthorizeFilterChain
[
]
-> apiAuthorizeFilterChain
[
-> everythingElse
[
]
web.xml we have to register 3 filter chaing
SessionCreateFilter
AuthenticationFilter
ApplyAuthorityForCurrentUser
filterInvocationInterceptor
from acegi.xmlFilterChain (from acegi)
AuthenticationController:
GET /login
— show the login page that submits to/login
POST /login
— username/pass authentication — goes to the plugin(s) to authenticate, and puts an authentication object in a new session, and redirect to/
(or last remembered url)/logout
- clears the session/plugin/*/authenticate
- goes to the plugin to perform web based authentication, and puts an authentication object in a new sessionA -> created -> form login ->
B -> created -> baisc auth -> create authentication -> filter chanin
TODO
loginName on
GoPrincipalUser
, and NewPluginAuthenticationProvider#authenticate