/hudson-core/src/main/java/hudson/security/HudsonFilter.java

http://github.com/hudson/hudson · Java · 175 lines · 74 code · 17 blank · 84 comment · 10 complexity · 8987494ec7ddddc840d7d421f43297ac MD5 · raw file

  1. /*
  2. * The MIT License
  3. *
  4. * Copyright (c) 2004-2009, Sun Microsystems, Inc., Kohsuke Kawaguchi
  5. *
  6. * Permission is hereby granted, free of charge, to any person obtaining a copy
  7. * of this software and associated documentation files (the "Software"), to deal
  8. * in the Software without restriction, including without limitation the rights
  9. * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10. * copies of the Software, and to permit persons to whom the Software is
  11. * furnished to do so, subject to the following conditions:
  12. *
  13. * The above copyright notice and this permission notice shall be included in
  14. * all copies or substantial portions of the Software.
  15. *
  16. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17. * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18. * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  19. * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20. * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21. * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22. * THE SOFTWARE.
  23. */
  24. package hudson.security;
  25. import hudson.model.Hudson;
  26. import java.io.IOException;
  27. import java.util.logging.Logger;
  28. import static java.util.logging.Level.SEVERE;
  29. import javax.servlet.Filter;
  30. import javax.servlet.FilterChain;
  31. import javax.servlet.FilterConfig;
  32. import javax.servlet.ServletContext;
  33. import javax.servlet.ServletException;
  34. import javax.servlet.ServletRequest;
  35. import javax.servlet.ServletResponse;
  36. import org.acegisecurity.AuthenticationManager;
  37. import org.acegisecurity.ui.rememberme.RememberMeServices;
  38. import org.acegisecurity.userdetails.UserDetailsService;
  39. /**
  40. * {@link Filter} that Hudson uses to implement security support.
  41. *
  42. * <p>
  43. * This is the instance the servlet container creates, but
  44. * internally this just acts as a proxy to the real {@link Filter},
  45. * created by {@link SecurityRealm#createFilter(FilterConfig)}.
  46. *
  47. * @author Kohsuke Kawaguchi
  48. * @since 1.160
  49. */
  50. public class HudsonFilter implements Filter {
  51. /**
  52. * The SecurityRealm specific filter.
  53. */
  54. private volatile Filter filter;
  55. /**
  56. * The {@link #init(FilterConfig)} may be called before the Hudson instance is up (which is
  57. * required for initialization of the filter). So we store the
  58. * filterConfig for later lazy-initialization of the filter.
  59. */
  60. private FilterConfig filterConfig;
  61. /**
  62. * {@link AuthenticationManager} proxy so that the acegi filter chain can stay the same
  63. * even when security setting is reconfigured.
  64. *
  65. * @deprecated in 1.271.
  66. * This proxy always delegate to {@code Hudson.getInstance().getSecurityRealm().getSecurityComponents().manager},
  67. * so use that instead.
  68. */
  69. public static final AuthenticationManagerProxy AUTHENTICATION_MANAGER = new AuthenticationManagerProxy();
  70. /**
  71. * {@link UserDetailsService} proxy so that the acegi filter chain can stay the same
  72. * even when security setting is reconfigured.
  73. *
  74. * @deprecated in 1.271.
  75. * This proxy always delegate to {@code Hudson.getInstance().getSecurityRealm().getSecurityComponents().userDetails},
  76. * so use that instead.
  77. */
  78. public static final UserDetailsServiceProxy USER_DETAILS_SERVICE_PROXY = new UserDetailsServiceProxy();
  79. /**
  80. * {@link RememberMeServices} proxy so that the acegi filter chain can stay the same
  81. * even when security setting is reconfigured.
  82. *
  83. * @deprecated in 1.271.
  84. * This proxy always delegate to {@code Hudson.getInstance().getSecurityRealm().getSecurityComponents().rememberMe},
  85. * so use that instead.
  86. */
  87. public static final RememberMeServicesProxy REMEMBER_ME_SERVICES_PROXY = new RememberMeServicesProxy();
  88. public void init(FilterConfig filterConfig) throws ServletException {
  89. this.filterConfig = filterConfig;
  90. // this is how we make us available to the rest of Hudson.
  91. filterConfig.getServletContext().setAttribute(HudsonFilter.class.getName(),this);
  92. try {
  93. Hudson hudson = Hudson.getInstance();
  94. if (hudson != null) {
  95. // looks like we are initialized after Hudson came into being. initialize it now. See #3069
  96. LOGGER.fine("Security wasn't initialized; Initializing it...");
  97. SecurityRealm securityRealm = hudson.getSecurityRealm();
  98. reset(securityRealm);
  99. LOGGER.fine("securityRealm is " + securityRealm);
  100. LOGGER.fine("Security initialized");
  101. }
  102. } catch (ExceptionInInitializerError e) {
  103. // see HUDSON-4592. In some containers this happens before
  104. // WebAppMain.contextInitialized kicks in, which makes
  105. // the whole thing fail hard before a nicer error check
  106. // in WebAppMain.contextInitialized. So for now,
  107. // just report it here, and let the WebAppMain handle the failure gracefully.
  108. LOGGER.log(SEVERE, "Failed to initialize Hudson",e);
  109. }
  110. }
  111. /**
  112. * Gets the {@link HudsonFilter} created for the given {@link ServletContext}.
  113. */
  114. public static HudsonFilter get(ServletContext context) {
  115. return (HudsonFilter)context.getAttribute(HudsonFilter.class.getName());
  116. }
  117. /**
  118. * Reset the proxies and filter for a change in {@link SecurityRealm}.
  119. */
  120. public void reset(SecurityRealm securityRealm) throws ServletException {
  121. if (securityRealm != null) {
  122. SecurityRealm.SecurityComponents sc = securityRealm.getSecurityComponents();
  123. AUTHENTICATION_MANAGER.setDelegate(sc.manager);
  124. USER_DETAILS_SERVICE_PROXY.setDelegate(sc.userDetails);
  125. REMEMBER_ME_SERVICES_PROXY.setDelegate(sc.rememberMe);
  126. // make sure this.filter is always a valid filter.
  127. Filter oldf = this.filter;
  128. Filter newf = securityRealm.createFilter(this.filterConfig);
  129. newf.init(this.filterConfig);
  130. this.filter = newf;
  131. if(oldf!=null)
  132. oldf.destroy();
  133. } else {
  134. // no security related filter needed.
  135. AUTHENTICATION_MANAGER.setDelegate(null);
  136. USER_DETAILS_SERVICE_PROXY.setDelegate(null);
  137. REMEMBER_ME_SERVICES_PROXY.setDelegate(null);
  138. filter = null;
  139. }
  140. }
  141. public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
  142. LOGGER.entering(HudsonFilter.class.getName(), "doFilter");
  143. // to deal with concurrency, we need to capture the object.
  144. Filter f = filter;
  145. if(f==null) {
  146. // Hudson is starting up.
  147. chain.doFilter(request,response);
  148. } else {
  149. f.doFilter(request,response,chain);
  150. }
  151. }
  152. public void destroy() {
  153. // the filter can be null if the filter is not initialized yet.
  154. if(filter != null)
  155. filter.destroy();
  156. }
  157. private static final Logger LOGGER = Logger.getLogger(HudsonFilter.class.getName());
  158. }