Skip to content

Instantly share code, notes, and snippets.

@bdpiprava

bdpiprava/spring.txt

Created March 29, 2018 16:58
Show Gist options
  • Save bdpiprava/8bb89afb42d9f2fa8cc1493f1523035b to your computer and use it in GitHub Desktop.
Save bdpiprava/8bb89afb42d9f2fa8cc1493f1523035b to your computer and use it in GitHub Desktop.
Download ZIP
spring
Raw
spring.txt
-> [
- /cctray.xml - createSession(5 min)
- /api/** - createSession(5 min)
- /** - createSession(perpetual)
]
-> authFilter
[
- /remoting/** - x509AuthFilter
- /cctray.xml - apiAuthFilter
- /api/** - apiAuthFilter
- /** - authFilter
]
->
[
- /cctray.xml - session timeout
- /api/** - session timeout
]
->
[
- /
]
- SessionCreateFilter
- create session if not present already
- AuthenticationFilter
- check if there is an "authentication(principal, credentials, ...)" in the current session
- check if basic auth credentials provided, and do what SessionController#login does
- does re-authentication (after an interval)
- if x509 cert is present — extract cert and extract the CN and put it in the authentication object in the session
- if oauth....
- if there no authentication:
- for api calls (via ajax): no challenge
- for api calls (without ajax, curl, or some other means): challenge
- everything else: redirect to login page, after remembering the request url in the session.
- ApplyAuthorityForCurrentUser
- `filterInvocationInterceptor` from acegi.xml
- FilterChain (from acegi)
- SessionController:
`GET /login` — show the login page that submits to `/login`
`POST /login` — username/pass authentication — goes to the plugin(s) to authenticate, and puts an authentication object in a new session, and redirect to `/` (or last remembered url)
`/logout` - clears the session
`/plugin/*/authenticate` - goes to the plugin to perform web based authentication, and puts an authentication object in a new session
A -> created -> form login ->
B -> created -> baisc auth -> create authentication -> filter chanin
----------------------
TODO
======
loginName on `GoPrincipalUser`, and NewPluginAuthenticationProvider#authenticate
@bdpiprava
Copy link
Author

bdpiprava commented Apr 6, 2018
edited

The new implementation of spring security is a collection of filter chain. The entry point for this is defined in web.xml

<filter>
    <filter-name>mainFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>mainFilterChain</param-value>
    </init-param>
</filter>
...
<filter-mapping>
    <filter-name>mainFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

MainFilterChain

The main filter chain is a collection of filter chain and globle filters.

  1. ModeAwareFilter: This filter is to block incoming POST, PUT, PATCH or DELETE request when server is running in passive mode
  2. CreateSessionFilterChain: This filter chain contains 2 filters -
Name Description
AlwaysCreateSessionFilter Filter will create a new session if one not exist
ApiSessionReduceIdleTimeoutFilter This is to reduce MaxInActiveInterval on session for /api/*, /cctray.xml.

Agent remoting filter chain:

AgentRemotingFilterChain:

ant url pattern Filters
/remoting/** ModeAwareFilter, ArtifactSizeEnforcementFilter, LocaleResolver, HttpSessionContextIntegrationFilter, X509AuthenticationFilter, AuthorizeAgentFilterChain, UrlRewriteFilter
/agent-websocket/** ModeAwareFilter, ArtifactSizeEnforcementFilter, LocaleResolver, HttpSessionContextIntegrationFilter, X509AuthenticationFilter, AuthorizeAgentFilterChain

AuthorizeAgentFilterChain:

ant url pattern Filters
/remoting/remoteBuildRepository VerifyAuthorityFilter
/remoting/files/** VerifyAuthorityFilter
/remoting/properties/** VerifyAuthorityFilter
/agent-websocket/** VerifyAuthorityFilter
/** DenyAllAccessFilter

Filter chain to create a session for the request:

SessionCreateFilterChain:

ant url pattern Filters
/cctray.xml ApiSessionReduceIdleTimeoutFilter, AlwaysCreateSessionFilter
/api/** ApiSessionReduceIdleTimeoutFilter, AlwaysCreateSessionFilter
/** AlwaysCreateSessionFilter

-> authFilter
[
- /remoting/** - x509AuthFilter
- /cctray.xml - apiAuthFilter (basic auth with chanllenge, basic auth with redirect or 403)
- /api/** - apiAuthFilter (basic auth with chanllenge, basic auth with redirect or 403)
- /** - authFilter (basic auth with redirect or 403, AnonymousFilter -> go/auth/login)
]
-> authorizeFilterChain
[
- /remoting/** - agentAuthorizeFilterChain
- /cctray.xml - apiAuthorizeFilterChain
- /api/** - apiAuthorizeFilterChain
- /** - everythingElse
]

-> agentAuthorizeFilterChain
[

]

-> apiAuthorizeFilterChain
[

]

-> everythingElse
[

]

web.xml we have to register 3 filter chaing

  1. Session create filter chain
  2. Authentication filter chain
  3. Authorization filter chain

  • SessionCreateFilter

    • create session if not present already

  • AuthenticationFilter

    • check if there is an "authentication(principal, credentials, ...)" in the current session
    • check if basic auth credentials provided, and do what SessionController#login does
    • does re-authentication (after an interval)
    • if x509 cert is present — extract cert and extract the CN and put it in the authentication object in the session
    • if oauth....
    • if there no authentication:
      • for api calls (via ajax): no challenge
      • for api calls (without ajax, curl, or some other means): challenge
      • everything else: redirect to login page, after remembering the request url in the session.

  • ApplyAuthorityForCurrentUser

    • filterInvocationInterceptor from acegi.xml

  • FilterChain (from acegi)

  • AuthenticationController:
    GET /login — show the login page that submits to /login
    POST /login — username/pass authentication — goes to the plugin(s) to authenticate, and puts an authentication object in a new session, and redirect to / (or last remembered url)
    /logout - clears the session
    /plugin/*/authenticate - goes to the plugin to perform web based authentication, and puts an authentication object in a new session

A -> created -> form login ->
B -> created -> baisc auth -> create authentication -> filter chanin

TODO

loginName on GoPrincipalUser, and NewPluginAuthenticationProvider#authenticate

@bdpiprava
Copy link
Author

bdpiprava commented Apr 20, 2018
edited

The new implementation of spring security is a collection of the filter chain. The entry point for this is defined in web.xml

<filter>
    <filter-name>mainFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>mainFilterChain</param-value>
    </init-param>
</filter>
...
<filter-mapping>
    <filter-name>mainFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

MainFilterChain

The main filter chain is a collection of filter chain and global filters.

  1. ModeAwareFilter: This filter is to block incoming POST, PUT, PATCH or DELETE request when a server is running in passive mode

  2. CreateSessionFilterChain: This filter chain contains 2 filters -

    Name Description
    AlwaysCreateSessionFilter Filter will create a new session if one not exist
    ApiSessionReduceIdleTimeoutFilter This is to reduce MaxInActiveInterval on session for /api/*, /cctray.xml.

  3. LocaleResolver: Setup the locale for the request

  4. RememberLastRequestUrlFilterChain: The filter remembers the last requested url(GET and HEAD only) except following URLs

    • /cctray.xml
    • /api/*
    • /remoting/**
    • /agent-websocket/**
    • /auth/**
    • /plugin/*/authenticate
    • /plugin/*/login
    • /assets/**
    • /server/messages.json

  5. AuthenticationFilterChain: The authentication filter chain contains a list of URLs and authentication filter for the URL.
    It also contains some additional filters that applies before authentication filter such as - InvalidateAuthenticationOnSecurityConfigChangeFilter and ReAuthenticationFilter

  • X509AuthenticationFilter: This is to perform authentication using X509 certificate provided by the agent.

  • InvalidateAuthenticationOnSecurityConfigChangeFilter: Invalidates authentication token for all user's when security config is changed.

  • ReAuthenticationWithRedirectToLoginPage: Performs re-authentication using existing AuthenticationToken when token is not valid or expired. On success, the filter will update the existing AuthenticationToken and continues to next filter in the chain. On failure, it will redirect the user to /go/auth/login page.

  • ReAuthenticationWithChallenge: Performs re-authentication using existing AuthenticationToken when a token is not valid or expired. On success, the filter will update the existing AuthenticationToken and continues to next filter in the chain. On failure, it will prepare a response as follow -

    • Show challenge(WWW-Authenticate) when security is enabled and request is api request but not an Ajax request
    • Set response status to 401
    • Set Content-Type based on request Accept header
    • Generate access denied message(json or xml) based on Accept header

  • BasicAuthenticationWithChallengeFilter: Performs the authentication if a request is not authenticated and BASIC auth credentials are provided in the request.

  • ReAuthenticationWithRedirectToLoginPage: Performs the authentication if a request is not authenticated and BASIC auth credentials are provided in the request.

Ant url patter Filters
/remoting/** X509AuthenticationFilter
/agent-websocket/** x509AuthenticationFilter
/add-on/*/api/** InvalidateAuthenticationOnSecurityConfigChangeFilter, ReAuthenticationWithRedirectToLoginPage andOauthAuthenticationFilter
/api/config-repository.git/** InvalidateAuthenticationOnSecurityConfigChangeFilter, ReAuthenticationWithChallenge and BasicAuthenticationWithChallengeFilter
/cctray.xml InvalidateAuthenticationOnSecurityConfigChangeFilter, ReAuthenticationWithChallenge and BasicAuthenticationWithChallengeFilter
/api/** InvalidateAuthenticationOnSecurityConfigChangeFilter, ReAuthenticationWithChallenge and BasicAuthenticationWithChallengeFilter
/api/version InvalidateAuthenticationOnSecurityConfigChangeFilter, ReAuthenticationWithRedirectToLoginPage and BasicAuthenticationWithRedirectToLoginFilter
auth/* This url is open for all hence, NoOpFilter will applied to it.
/plugin/*/login This url is open for all hence, NoOpFilter will applied to it.
/plugin/*/authenticate This url is open for all hence, NoOpFilter will applied to it.
/** InvalidateAuthenticationOnSecurityConfigChangeFilter, ReAuthenticationWithRedirectToLoginPage and BasicAuthenticationWithRedirectToLoginFilter
  1. AssumeAnonymousUserFilter: When AuthenticationFilterChain fails to authenticate request the filter will authenticate using anonymous authentication token.
  2. ThreadLocalUserFilter: This will update the user in ThreadLocal for application use and at after serving request it will remove the user from ThreadLocal.
  3. AuthorizeFilterChain: The filter chain contains mappings of URLs to required authority to access the URL.
    It also uses ResponseHandler to generate access denied message based on the request.
  4. DenyGoCDAccessForArtifactsFilterChain: It will block GoCD access from artifacts.
  5. ArtifactSizeEnforcementFilterChain: The filter will check if enough disk space available while uploading artifact. The filter applies to /files/** and /remoting/files/**
  6. FlashLoadingFilter: Load the flash from the session and add it to thread local.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment