Fix for bug JENKINS-11507 "Single-sign-on isn't working correctly in the

Crowd 2 plugin"
jenkinsci · Oct 27, 2011 · 23aa97e · 23aa97e
1 parent f1ed1d3
commit 23aa97e
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 37 deletions.
diff --git a/src/main/java/de/theit/jenkins/crowd/CrowdSecurityRealm.java b/src/main/java/de/theit/jenkins/crowd/CrowdSecurityRealm.java
@@ -176,7 +176,7 @@ private void initializeConfiguration() {
 			props.setProperty("crowd.base.url", crowdUrl);
 			props.setProperty("application.login.url", crowdUrl + "console/");
 			props.setProperty("crowd.server.url", this.url + "services/");
-			props.setProperty("session.validationinterval", "5");
+			props.setProperty("session.validationinterval", "0");
 		} else {
 			LOG.warning("Client properties are incomplete");
 		}

diff --git a/src/main/java/de/theit/jenkins/crowd/CrowdServletFilter.java b/src/main/java/de/theit/jenkins/crowd/CrowdServletFilter.java
@@ -128,59 +128,67 @@ public void init(FilterConfig filterConfig) throws ServletException {
 	@Override
 	public void doFilter(ServletRequest request, ServletResponse response,
 			FilterChain chain) throws IOException, ServletException {
-		// check whether the SSO session is valid
-
 		if (request instanceof HttpServletRequest
 				&& response instanceof HttpServletResponse) {
 			HttpServletRequest req = (HttpServletRequest) request;
 			HttpServletResponse res = (HttpServletResponse) response;
 
-			// if the user is logged in, check whether the session is still
-			// valid
+			// check if we have a token
+			// if it is not present, we are not / no longer authenticated
+			boolean isValidated = false;
 			try {
-				SecurityContext sc = SecurityContextHolder.getContext();
-				boolean isValidated = this.configuration.crowdHttpAuthenticator
+				isValidated = this.configuration.crowdHttpAuthenticator
 						.isAuthenticated(req, res);
-				if (!isValidated) {
-					if (sc.getAuthentication() instanceof CrowdAuthenticationToken) {
-						LOG.fine("User is logged in via Crowd, but SSO session is not valid (anymore)...");
-						// close the SSO session
-						if (null != this.rememberMe) {
-							LOG.fine("=> logout user");
-							this.rememberMe.logout(req, res);
-						}
+			} catch (OperationFailedException ex) {
+				LOG.log(Level.SEVERE, operationFailed(), ex);
+			}
 
-						// invalidate the current session
-						// (see SecurityRealm#doLogout())
-						HttpSession session = req.getSession(false);
-						if (session != null) {
-							session.invalidate();
-						}
-						SecurityContextHolder.clearContext();
-
-						// reset remember-me cookie
-						Cookie cookie = new Cookie(
-								ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY,
-								"");
-						cookie.setPath(req.getContextPath().length() > 0 ? req
-								.getContextPath() : "/");
-						res.addCookie(cookie);
-					}
-				} else if (!(sc.getAuthentication() instanceof CrowdAuthenticationToken)) {
-					// user not logged in via Crowd
+			if (!isValidated) {
+				if (LOG.isLoggable(Level.FINE)) {
+					LOG.fine("User is not logged in (anymore) via Crowd => logout user");
+				}
+				SecurityContext sc = SecurityContextHolder.getContext();
+				sc.setAuthentication(null);
+				// close the SSO session
+				if (null != this.rememberMe) {
+					this.rememberMe.logout(req, res);
+				}
+
+				// invalidate the current session
+				// (see SecurityRealm#doLogout())
+				HttpSession session = req.getSession(false);
+				if (session != null) {
+					session.invalidate();
+				}
+				SecurityContextHolder.clearContext();
+
+				// reset remember-me cookie
+				Cookie cookie = new Cookie(
+						ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, "");
+				cookie.setPath(req.getContextPath().length() > 0 ? req
+						.getContextPath() : "/");
+				res.addCookie(cookie);
+			} else {
+				SecurityContext sc = SecurityContextHolder.getContext();
+
+				if (!(sc.getAuthentication() instanceof CrowdAuthenticationToken)) {
+					// user logged in via Crowd, but no Crowd-specific
+					// authentication token available
 					// => try to auto-login the user
 					if (null != this.rememberMe) {
-						LOG.fine("User is logged in via Crowd, but not in Jenkins; trying auto-login...");
+						if (LOG.isLoggable(Level.FINE)) {
+							LOG.fine("User is logged in via Crowd, but no authentication token available; trying auto-login...");
+						}
 						Authentication auth = this.rememberMe.autoLogin(req,
 								res);
 						if (null != auth) {
-							LOG.fine("User sucessfully logged in");
+							if (LOG.isLoggable(Level.FINE)) {
+								LOG.fine("User sucessfully logged in");
+							}
 							sc.setAuthentication(auth);
 						}
 					}
 				}
-			} catch (OperationFailedException ex) {
-				LOG.log(Level.SEVERE, operationFailed(), ex);
 			}
 		}