Skip to content
Permalink
Browse files
[FIXED JENKINS-7995] pull up another member, and supported user retri…
…eval in the Unix provider so long as bind name/DN is set.
  • Loading branch information
kohsuke committed Nov 4, 2011
1 parent 4aa2ca8 commit e8de31544da2aa61bc330954be047fcc161e5fd9
@@ -5,13 +5,19 @@
import org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UserDetailsService;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.springframework.dao.DataAccessException;

/**
* @author Kohsuke Kawaguchi
*/
public abstract class AbstractActiveDirectoryAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider implements UserDetailsService, GroupDetailsService {
protected abstract UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException;

public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
return retrieveUser(username,null);
}

protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
// active directory authentication is not by comparing clear text password,
// so there's nothing to do here.
@@ -57,10 +57,6 @@ public ActiveDirectoryAuthenticationProvider() {
con.open("Active Directory Provider",""/*default*/,""/*default*/,-1/*default*/);
}

public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
return retrieveUser(username,null);
}

protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
String password = null;
if(authentication!=null)
@@ -60,16 +60,6 @@ public ActiveDirectoryUnixAuthenticationProvider(ActiveDirectorySecurityRealm re
this.descriptor = realm.getDescriptor();
}

/**
* We'd like to implement {@link UserDetailsService} ideally, but in short
* of keeping the manager user/password, we can't do so. In Active Directory
* authentication, we should support SPNEGO/Kerberos and that should
* eliminate the need for the "remember me" service.
*/
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
throw new UsernameNotFoundException("Active-directory plugin doesn't support user retrieval");
}

protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
UserDetails userDetails = null;
for (String domainName : domainNames) {
@@ -95,7 +85,7 @@ private UserDetails retrieveUser(String username, UsernamePasswordAuthentication
ClassLoader ccl = Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
try {
String password = null;
String password = NO_AUTHENTICATION;
if (authentication!=null)
password = (String) authentication.getCredentials();

@@ -132,6 +122,8 @@ public UserDetails retrieveUser(String username, String password, String domainN
throw new AuthenticationServiceException("Failed to bind to LDAP server with the bind name/password", e);
}
} else {
if (password==NO_AUTHENTICATION) throw new AuthenticationServiceException("Unable to retrieve the user information without bind DN/password configured");

String principalName = getPrincipalName(username, domainName);
id = principalName.substring(0, principalName.indexOf('@'));
context = descriptor.bind(principalName, password, ldapServers, preferredServer);
@@ -157,9 +149,9 @@ public UserDetails retrieveUser(String username, String password, String domainN
if (dn==null)
throw new BadCredentialsException("No distinguished name for "+username);

if (bindName!=null) {
if (bindName!=null && password!=NO_AUTHENTICATION) {
// if we've used the credential specifically for the bind, we
// need to verify the provided password.
// need to verify the provided password to do authentication
LOGGER.fine("Attempting to validate password for DN="+dn);
DirContext test = descriptor.bind(dn.toString(), password, ldapServers, preferredServer);
// Binding alone is not enough to test the credential. Need to actually perform some query operation.
@@ -267,6 +259,12 @@ private static String toDC(String domainName) {

private static final Logger LOGGER = Logger.getLogger(ActiveDirectoryUnixAuthenticationProvider.class.getName());

/**
* We use this as the password value if we are calling retrieveUser to retrieve the user information
* without authentication.
*/
private static final String NO_AUTHENTICATION = "\u0000\u0000\u0000\u0000\u0000\u0000";

public GroupDetails loadGroupByGroupname(String groupname) {
throw new UserMayOrMayNotExistException(groupname);
}

0 comments on commit e8de315

Please sign in to comment.