Created
March 29, 2018 16:58
-
-
Save bdpiprava/8bb89afb42d9f2fa8cc1493f1523035b to your computer and use it in GitHub Desktop.
spring
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-> [ | |
- /cctray.xml - createSession(5 min) | |
- /api/** - createSession(5 min) | |
- /** - createSession(perpetual) | |
] | |
-> authFilter | |
[ | |
- /remoting/** - x509AuthFilter | |
- /cctray.xml - apiAuthFilter | |
- /api/** - apiAuthFilter | |
- /** - authFilter | |
] | |
-> | |
[ | |
- /cctray.xml - session timeout | |
- /api/** - session timeout | |
] | |
-> | |
[ | |
- / | |
] | |
- SessionCreateFilter | |
- create session if not present already | |
- AuthenticationFilter | |
- check if there is an "authentication(principal, credentials, ...)" in the current session | |
- check if basic auth credentials provided, and do what SessionController#login does | |
- does re-authentication (after an interval) | |
- if x509 cert is present — extract cert and extract the CN and put it in the authentication object in the session | |
- if oauth.... | |
- if there no authentication: | |
- for api calls (via ajax): no challenge | |
- for api calls (without ajax, curl, or some other means): challenge | |
- everything else: redirect to login page, after remembering the request url in the session. | |
- ApplyAuthorityForCurrentUser | |
- `filterInvocationInterceptor` from acegi.xml | |
- FilterChain (from acegi) | |
- SessionController: | |
`GET /login` — show the login page that submits to `/login` | |
`POST /login` — username/pass authentication — goes to the plugin(s) to authenticate, and puts an authentication object in a new session, and redirect to `/` (or last remembered url) | |
`/logout` - clears the session | |
`/plugin/*/authenticate` - goes to the plugin to perform web based authentication, and puts an authentication object in a new session | |
A -> created -> form login -> | |
B -> created -> baisc auth -> create authentication -> filter chanin | |
---------------------- | |
TODO | |
====== | |
loginName on `GoPrincipalUser`, and NewPluginAuthenticationProvider#authenticate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The new implementation of spring security is a collection of the filter chain. The entry point for this is defined in
web.xml
MainFilterChain
The main filter chain is a collection of filter chain and global filters.
ModeAwareFilter: This filter is to block incoming
POST
,PUT
,PATCH
orDELETE
request when a server is running in passive modeCreateSessionFilterChain: This filter chain contains 2 filters -
MaxInActiveInterval
on session for/api/*
,/cctray.xml
.LocaleResolver: Setup the locale for the request
RememberLastRequestUrlFilterChain: The filter remembers the last requested url(
GET
andHEAD
only) except following URLs/cctray.xml
/api/*
/remoting/**
/agent-websocket/**
/auth/**
/plugin/*/authenticate
/plugin/*/login
/assets/**
/server/messages.json
AuthenticationFilterChain: The authentication filter chain contains a list of URLs and authentication filter for the URL.
It also contains some additional filters that applies before authentication filter such as -
InvalidateAuthenticationOnSecurityConfigChangeFilter
andReAuthenticationFilter
X509AuthenticationFilter
: This is to perform authentication using X509 certificate provided by the agent.InvalidateAuthenticationOnSecurityConfigChangeFilter
: Invalidates authentication token for all user's when security config is changed.ReAuthenticationWithRedirectToLoginPage
: Performs re-authentication using existingAuthenticationToken
when token is not valid or expired. On success, the filter will update the existingAuthenticationToken
and continues to next filter in the chain. On failure, it will redirect the user to/go/auth/login
page.ReAuthenticationWithChallenge
: Performs re-authentication using existingAuthenticationToken
when a token is not valid or expired. On success, the filter will update the existingAuthenticationToken
and continues to next filter in the chain. On failure, it will prepare a response as follow -WWW-Authenticate
) when security is enabled and request is api request but not an Ajax request401
Content-Type
based on requestAccept
headerjson or xml
) based onAccept
headerBasicAuthenticationWithChallengeFilter
: Performs the authentication if a request is not authenticated andBASIC
auth credentials are provided in the request.ReAuthenticationWithRedirectToLoginPage
: Performs the authentication if a request is not authenticated andBASIC
auth credentials are provided in the request./remoting/**
X509AuthenticationFilter
/agent-websocket/**
x509AuthenticationFilter
/add-on/*/api/**
InvalidateAuthenticationOnSecurityConfigChangeFilter
,ReAuthenticationWithRedirectToLoginPage
andOauthAuthenticationFilter
/api/config-repository.git/**
InvalidateAuthenticationOnSecurityConfigChangeFilter
,ReAuthenticationWithChallenge
andBasicAuthenticationWithChallengeFilter
/cctray.xml
InvalidateAuthenticationOnSecurityConfigChangeFilter
,ReAuthenticationWithChallenge
andBasicAuthenticationWithChallengeFilter
/api/**
InvalidateAuthenticationOnSecurityConfigChangeFilter
,ReAuthenticationWithChallenge
andBasicAuthenticationWithChallengeFilter
/api/version
InvalidateAuthenticationOnSecurityConfigChangeFilter
,ReAuthenticationWithRedirectToLoginPage
andBasicAuthenticationWithRedirectToLoginFilter
auth/*
NoOpFilter
will applied to it./plugin/*/login
NoOpFilter
will applied to it./plugin/*/authenticate
NoOpFilter
will applied to it./**
InvalidateAuthenticationOnSecurityConfigChangeFilter
,ReAuthenticationWithRedirectToLoginPage
andBasicAuthenticationWithRedirectToLoginFilter
AuthenticationFilterChain
fails to authenticate request the filter will authenticate using anonymous authentication token.It also uses
ResponseHandler
to generate access denied message based on the request./files/**
and/remoting/files/**