[JEP-227] Replace Acegi Security with Spring Security & upgrade Spring Framework #4848
Conversation
This comment has been minimized.
This comment has been minimized.
res0nance
added
the
work-in-progress
| @@ -578,7 +578,7 @@ public Object get() { | |||
| // so that we invoke them before derived class one. This isn't specified in JSR-250 but implemented | |||
| // this way in Spring and what most developers would expect to happen. | |||
|
|
|||
| final Set<Class> interfaces = ClassUtils.getAllInterfacesAsSet(instance); | |||
| final Set<Class<?>> interfaces = ClassUtils.getAllInterfacesAsSet(instance); | |||
There was a problem hiding this comment.
Just a signature change in Spring.
| // we just authenticate anonymous users as such, | ||
| // so that later authorization can reject them if so configured | ||
| AnonymousAuthenticationProvider aap = new AnonymousAuthenticationProvider("anonymous"); | ||
| AuthenticationManager authenticationManager = new ProviderManager(authenticator, rmap, aap); |
There was a problem hiding this comment.
Just translating the Groovy into equivalent Java.
core/src/main/java/hudson/security/HttpSessionContextIntegrationFilter2.java
Show resolved
Hide resolved
| import org.springframework.security.core.Authentication; | ||
| import org.springframework.security.core.userdetails.UserDetails; | ||
|
|
||
| public class PrincipalSid implements Sid { |
There was a problem hiding this comment.
Reimplementing these from scratch. Only used from SidAcl.
There was a problem hiding this comment.
and cloudbees/bluesteel -> TeamSecurity.java (which is not using SidACL in that class but underlying more it it is). (not sure you saw that or not)
There was a problem hiding this comment.
Ought to be compatible AFAICT.
| * | ||
| * @author Kohsuke Kawaguchi | ||
| */ | ||
| public class BindAuthenticator2 extends BindAuthenticator { |
There was a problem hiding this comment.
Seems to have been unused, and I do not want to depend on Spring Security modules for LDAP here; belongs in the ldap plugin only.
There was a problem hiding this comment.
Correction: was used by the ldap plugin, and should have been there all along (see 9b4cd99 & 32cba8f). Correcting in jenkinsci/ldap-plugin@a5267e6.
| * @deprecated TODO replacement | ||
| */ | ||
| @Deprecated | ||
| public interface UserDetailsService extends org.springframework.security.core.userdetails.UserDetailsService {} |
There was a problem hiding this comment.
Might just get deleted, TBD.
…k me a while to find that HttpSessionContextIntegrationFilter is now SecurityContextPersistenceFilter
|
I'll do one last review today, @timja. |
| LOGGER.log(Level.FINE, "Login attempt failed", failed); | ||
| /* TODO this information appears to have been deliberately removed from Spring Security: | ||
| Authentication auth = failed.getAuthentication(); | ||
| if (auth != null) { | ||
| SecurityListener.fireFailedToLogIn(auth.getName()); |
There was a problem hiding this comment.
I'd kind of like to get more data exposed in audit-log-plugin, though that doesn't appear to listen for this event yet. It is listening for login and logout events, though, so it would make sense to support.
| } | ||
| }; | ||
|
|
||
| // TODO can we instead use BCryptPasswordEncoder from Spring Security, which has its own copy of BCrypt so we could drop the special library? |
There was a problem hiding this comment.
I think so. BouncyCastle provides BCrypt, too, so it's not like a separate library was needed in the first place.
There was a problem hiding this comment.
We cannot use BouncyCastle from core, though.
There was a problem hiding this comment.
I suppose it shouldn't matter for this case, then, since Spring Security already includes a BCrypt implementation in its own dependencies like you mentioned in the comment here. Does this limitation include for remoting? That'd be annoying if the only way to support TLS 1.3 connections there is to use Java 11 or customizing your classpath manually.
There was a problem hiding this comment.
Not sure what you are talking about. BouncyCastle is bundled only in a wrapper plugin for use by other plugins.
There was a problem hiding this comment.
BouncyCastle has JSSE glue to support TLS 1.3 in older JDKs than 11. Classes like SSLContext call into that which is the usual class for handling TLS code in Java.
There was a problem hiding this comment.
Sorry, do not know anything about it. Off topic I suppose. The point here is that for now I kept the existing behavior of using our own bundled jBCrypt, but now that Spring Security also bundles their own copy, we could consider switching to that and dropping our dep. I did not attempt to do so here because the format uses by BCryptPasswordEncoder does not match that of existing saved passwords in Jenkins, so we would need to do more work.
| import java.util.logging.Logger; | ||
| import org.acegisecurity.acls.sid.GrantedAuthoritySid; | ||
| import org.acegisecurity.acls.sid.PrincipalSid; | ||
| import org.acegisecurity.acls.sid.Sid; |
There was a problem hiding this comment.
Should spring-security-acl be blocked as a dependency then?
| @@ -69,6 +69,7 @@ for(j = 0; j < jdks.size(); j++) { | |||
| allowEmptyArchive: true, // in case we forgot to reincrementalify | |||
| fingerprint: true | |||
| } | |||
| publishHTML([allowMissing: true, alwaysLinkToLastBuild: false, includes: 'japicmp.html', keepAll: false, reportDir: 'core/target/japicmp', reportFiles: 'japicmp.html', reportName: 'API compatibility', reportTitles: 'japicmp report']) | |||
There was a problem hiding this comment.
Do we want to merge this in?
| <plugin> | ||
| <groupId>com.github.siom79.japicmp</groupId> | ||
| <artifactId>japicmp-maven-plugin</artifactId> | ||
| <version>0.14.4-20200728.214757-1</version> <!-- TODO https://github.com/siom79/japicmp/pull/266 --> |
There was a problem hiding this comment.
Similarly doesn't look like something we want to merge in.
There was a problem hiding this comment.
I think it is OK because this is only used in a profile we active in CI, so if my PR never gets picked up we can either drop this profile, or use the last mojo release which will work for most purposes (just not complex library replacements like is done here).
Happy to remove it if you are uneasy.
There was a problem hiding this comment.
I'm fine with leaving it. I actually ran the profile and examined the results. If Daniel is concerned, though, I readily accept the removal.
…ns#4944 to be as well, to be released 2020-11-10
|
|
||
| public static void setProtectedFieldValue(String protectedField, Object object, Object newValue) { | ||
| try { | ||
| org.apache.commons.lang.reflect.FieldUtils.writeField(object, protectedField, newValue, true); |
| @@ -67,7 +67,6 @@ | |||
| import jenkins.util.io.OnMaster; | |||
| import net.sf.json.JSONObject; | |||
|
|
|||
| import org.acegisecurity.Authentication; | |||
There was a problem hiding this comment.
noting regression https://issues.jenkins-ci.org/browse/JENKINS-64746 addressed in #5216
|
@jglick / @jvz looks like the credentials API needs updating? https://github.com/jenkinsci/credentials-plugin/blob/3a603dec20412ccce754d9cbbd835d890ca06ee5/src/main/java/com/cloudbees/plugins/credentials/CredentialsProvider.java#L517 It takes the acegi security |
|
It could be updated, sure. |
This is the implementation of jenkinsci/jenkins#4848 for Credentials API. This will allow consumers of the credentials API to remove references to deprecated acegi APIs.
This is the implementation of jenkinsci/jenkins#4848 for Credentials API. This will allow consumers of the credentials API to remove references to deprecated acegi APIs.
This is the implementation of jenkinsci/jenkins#4848 for Credentials API. This will allow consumers of the credentials API to remove references to deprecated acegi APIs.
…APIs (#490) * [JEP-227] Replace Acegi Security with Spring Security APIs This is the implementation of jenkinsci/jenkins#4848 for Credentials API. This will allow consumers of the credentials API to remove references to deprecated acegi APIs. * Fix spotbugs issues * Fix reviews * Rename methods appropriately * Fixup some javadocs. * Remove unused method. * Forgot to remove usages. * Remove CredentialsProvider#getCredentials2(Class, ItemGroup, Authentication) in favor of CredentialsProvider#getCredentials2(Class, ItemGroup, Authentication, List) * Fix a few null checks while we are here. * Restore a method I deleted by mistake. * Add tests for new signatures * Rename *2 methods to *InItem/*InItemGroup to avoid ambiguous signatures * Update docs
JEP-227
Proposed changelog entries
Proposed upgrade guidelines
https://www.jenkins.io/blog/2020/11/10/spring-xstream/
See the compatibility table.
Desired reviewers
@jenkinsci/core
Maintainer checklist
Before the changes are marked as
ready-for-merge:Proposed changelog entriesare correctupgrade-guide-neededlabel is set and there is aProposed upgrade guidelinessection in the PR title. (example)lts-candidateto be considered (see query).