From fddcb63fe6dadb9c58cf05a0f799d0a9122493ba Mon Sep 17 00:00:00 2001 From: kohsuke Date: Thu, 26 Feb 2009 03:21:23 +0000 Subject: [PATCH] LDAP authentication realm didn't support the built-in "authenticated" role. (report) git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@15774 71c3de6d-444a-0410-be80-ed276b4c234a Originally-Committed-As: e3d1a7c5ff2d4081d826d9432af6f597c5f58409 --- .../java/hudson/security/LDAPSecurityRealm.java | 17 +++++++++++++++++ .../security/LDAPBindSecurityRealm.groovy | 6 ++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/hudson/security/LDAPSecurityRealm.java b/core/src/main/java/hudson/security/LDAPSecurityRealm.java index 1ebdd42..f89820c 100644 --- a/core/src/main/java/hudson/security/LDAPSecurityRealm.java +++ b/core/src/main/java/hudson/security/LDAPSecurityRealm.java @@ -36,6 +36,7 @@ import hudson.util.Scrambler; import hudson.util.spring.BeanBuilder; import org.acegisecurity.AuthenticationManager; import org.acegisecurity.GrantedAuthority; +import org.acegisecurity.GrantedAuthorityImpl; import org.acegisecurity.userdetails.UserDetailsService; import org.acegisecurity.userdetails.UserDetails; import org.acegisecurity.userdetails.UsernameNotFoundException; @@ -47,6 +48,7 @@ import org.acegisecurity.ldap.LdapDataAccessException; import org.acegisecurity.ldap.InitialDirContextFactory; import org.acegisecurity.ldap.LdapTemplate; import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator; +import org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; @@ -66,6 +68,7 @@ import java.net.Socket; import java.net.UnknownHostException; import java.util.Hashtable; import java.util.Set; +import java.util.Collections; import java.util.logging.Level; import java.util.logging.Logger; import java.util.regex.Matcher; @@ -407,6 +410,20 @@ public class LDAPSecurityRealm extends SecurityRealm { } } + /** + * {@link LdapAuthoritiesPopulator} that adds the automatic 'authenticated' role. + */ + public static final class AuthoritiesPopulatorImpl extends DefaultLdapAuthoritiesPopulator { + public AuthoritiesPopulatorImpl(InitialDirContextFactory initialDirContextFactory, String groupSearchBase) { + super(initialDirContextFactory, groupSearchBase); + } + + @Override + protected Set getAdditionalRoles(LdapUserDetails ldapUser) { + return Collections.singleton(AUTHENTICATED_AUTHORITY); + } + } + @Extension public static final class DescriptorImpl extends Descriptor { public String getDisplayName() { diff --git a/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy b/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy index 4be7478..9cdefc3 100644 --- a/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy +++ b/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy @@ -29,8 +29,9 @@ import org.acegisecurity.ldap.DefaultInitialDirContextFactory import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch import org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider import hudson.model.Hudson -import org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator +import hudson.security.LDAPSecurityRealm.AuthoritiesPopulatorImpl import hudson.Util +import javax.naming.Context /* Configure LDAP as the authentication realm. @@ -44,6 +45,7 @@ initialDirContextFactory(DefaultInitialDirContextFactory, instance.getLDAPURL() managerDn = instance.managerDN; managerPassword = instance.getManagerPassword(); } + extraEnvVars = [(Context.REFERRAL):"follow"]; } ldapUserSearch(FilterBasedLdapUserSearch, instance.userSearchBase, instance.userSearch, initialDirContextFactory) { @@ -59,7 +61,7 @@ bindAuthenticator(BindAuthenticator2,initialDirContextFactory) { userSearch = ldapUserSearch; } -authoritiesPopulator(DefaultLdapAuthoritiesPopulator, initialDirContextFactory, Util.fixNull(instance.groupSearchBase)) { +authoritiesPopulator(AuthoritiesPopulatorImpl, initialDirContextFactory, Util.fixNull(instance.groupSearchBase)) { // see DefaultLdapAuthoritiesPopulator for other possible configurations searchSubtree = true; }