[FIXED JENKINS-7995] pull up another member, and supported user retri…

…eval in the Unix provider so long as bind name/DN is set.
jenkinsci · Nov 4, 2011 · e8de315 · e8de315
1 parent 4aa2ca8
commit e8de315
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 17 deletions.
diff --git a/...n/java/hudson/plugins/active_directory/AbstractActiveDirectoryAuthenticationProvider.java b/...n/java/hudson/plugins/active_directory/AbstractActiveDirectoryAuthenticationProvider.java
@@ -5,13 +5,19 @@
 import org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider;
 import org.acegisecurity.userdetails.UserDetails;
 import org.acegisecurity.userdetails.UserDetailsService;
+import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.springframework.dao.DataAccessException;
 
 /**
  * @author Kohsuke Kawaguchi
  */
 public abstract class AbstractActiveDirectoryAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider implements UserDetailsService, GroupDetailsService {
     protected abstract UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException;
 
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
+        return retrieveUser(username,null);
+    }
+
     protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
         // active directory authentication is not by comparing clear text password,
         // so there's nothing to do here.

diff --git a/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java b/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java
@@ -57,10 +57,6 @@ public ActiveDirectoryAuthenticationProvider() {
         con.open("Active Directory Provider",""/*default*/,""/*default*/,-1/*default*/);
     }
 
-    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
-        return retrieveUser(username,null);
-    }
-
     protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
         String password = null;
         if(authentication!=null)

diff --git a/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java b/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
@@ -60,16 +60,6 @@ public ActiveDirectoryUnixAuthenticationProvider(ActiveDirectorySecurityRealm re
         this.descriptor = realm.getDescriptor();
     }
 
-    /**
-     * We'd like to implement {@link UserDetailsService} ideally, but in short
-     * of keeping the manager user/password, we can't do so. In Active Directory
-     * authentication, we should support SPNEGO/Kerberos and that should
-     * eliminate the need for the "remember me" service.
-     */
-    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
-        throw new UsernameNotFoundException("Active-directory plugin doesn't support user retrieval");
-    }
-
     protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
         UserDetails userDetails = null;
         for (String domainName : domainNames) {
@@ -95,7 +85,7 @@ private UserDetails retrieveUser(String username, UsernamePasswordAuthentication
         ClassLoader ccl = Thread.currentThread().getContextClassLoader();
         Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
         try {
-            String password = null;
+            String password = NO_AUTHENTICATION;
             if (authentication!=null)
                 password = (String) authentication.getCredentials();
 
@@ -132,6 +122,8 @@ public UserDetails retrieveUser(String username, String password, String domainN
                 throw new AuthenticationServiceException("Failed to bind to LDAP server with the bind name/password", e);
             }
         } else {
+            if (password==NO_AUTHENTICATION)    throw new AuthenticationServiceException("Unable to retrieve the user information without bind DN/password configured");
+
             String principalName = getPrincipalName(username, domainName);
             id = principalName.substring(0, principalName.indexOf('@'));
             context = descriptor.bind(principalName, password, ldapServers, preferredServer);
@@ -157,9 +149,9 @@ public UserDetails retrieveUser(String username, String password, String domainN
             if (dn==null)
                 throw new BadCredentialsException("No distinguished name for "+username);
 
-            if (bindName!=null) {
+            if (bindName!=null && password!=NO_AUTHENTICATION) {
                 // if we've used the credential specifically for the bind, we
-                // need to verify the provided password.
+                // need to verify the provided password to do authentication
                 LOGGER.fine("Attempting to validate password for DN="+dn);
                 DirContext test = descriptor.bind(dn.toString(), password, ldapServers, preferredServer);
                 // Binding alone is not enough to test the credential. Need to actually perform some query operation.
@@ -267,6 +259,12 @@ private static String toDC(String domainName) {
 
     private static final Logger LOGGER = Logger.getLogger(ActiveDirectoryUnixAuthenticationProvider.class.getName());
 
+    /**
+     * We use this as the password value if we are calling retrieveUser to retrieve the user information
+     * without authentication.
+     */
+    private static final String NO_AUTHENTICATION = "\u0000\u0000\u0000\u0000\u0000\u0000";
+
     public GroupDetails loadGroupByGroupname(String groupname) {
         throw new UserMayOrMayNotExistException(groupname);
     }