To avoid Java serialization issues, HudsonPrivateSecurityRealm.Detail…

…s no longer implements UserDetails
jglick · Aug 5, 2020 · a67b028 · a67b028
1 parent 1ebb6a5
commit a67b028
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 6 deletions.
diff --git a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
@@ -185,7 +185,12 @@ public GroupDetails loadGroupByGroupname2(String groupname, boolean fetchMembers
     }
 
     @Override
-    public Details loadUserByUsername2(String username) throws UsernameNotFoundException {
+    public UserDetails loadUserByUsername2(String username) throws UsernameNotFoundException {
+        return load(username).asUserDetails();
+    }
+
+    @Restricted(NoExternalUse.class)
+    public Details load(String username) throws UsernameNotFoundException {
         User u = User.getById(username, false);
         Details p = u!=null ? u.getProperty(Details.class) : null;
         if(p==null)
@@ -196,12 +201,12 @@ public Details loadUserByUsername2(String username) throws UsernameNotFoundExcep
     }
 
     @Override
-    protected Details authenticate2(String username, String password) throws AuthenticationException {
-        Details u = loadUserByUsername2(username);
+    protected UserDetails authenticate2(String username, String password) throws AuthenticationException {
+        Details u = load(username);
         if (!u.isPasswordCorrect(password)) {
             throw new BadCredentialsException("Bad credentials");
         }
-        return u;
+        return u.asUserDetails();
     }
 
     /**
@@ -610,7 +615,7 @@ public SignupInfo(FederatedIdentity i) {
      * is sent to the hidden input field by using {@link Protector}, so that
      * the same password can be retained but without leaking information to the browser.
      */
-    public static final class Details extends UserProperty implements UserDetails {
+    public static final class Details extends UserProperty {
         /**
          * Hashed password.
          */
@@ -678,6 +683,59 @@ public boolean isEnabled() {
             return true;
         }
 
+        UserDetails asUserDetails() {
+            return new UserDetailsImpl();
+        }
+
+        private final class UserDetailsImpl implements UserDetails {
+
+            @Override
+            public Collection<? extends GrantedAuthority> getAuthorities() {
+                return Details.this.getAuthorities();
+            }
+
+            @Override
+            public String getPassword() {
+                return Details.this.getPassword();
+            }
+
+            @Override
+            public String getUsername() {
+                return Details.this.getUsername();
+            }
+
+            @Override
+            public boolean isAccountNonExpired() {
+                return Details.this.isAccountNonExpired();
+            }
+
+            @Override
+            public boolean isAccountNonLocked() {
+                return Details.this.isAccountNonLocked();
+            }
+
+            @Override
+            public boolean isCredentialsNonExpired() {
+                return Details.this.isCredentialsNonExpired();
+            }
+
+            @Override
+            public boolean isEnabled() {
+                return Details.this.isEnabled();
+            }
+
+            @Override
+            public boolean equals(Object o) {
+                return o instanceof UserDetailsImpl && ((UserDetailsImpl) o).getUsername().equals(getUsername());
+            }
+
+            @Override
+            public int hashCode() {
+                return getUsername().hashCode();
+            }
+
+        }
+
         public static class ConverterImpl extends XStream2.PassthruConverter<Details> {
             public ConverterImpl(XStream2 xstream) { super(xstream); }
             @Override protected void callback(Details d, UnmarshallingContext context) {

diff --git a/core/src/main/java/jenkins/install/SetupWizard.java b/core/src/main/java/jenkins/install/SetupWizard.java
@@ -225,7 +225,7 @@ public boolean isUsingSecurityToken() {
             HudsonPrivateSecurityRealm securityRealm = (HudsonPrivateSecurityRealm)j.getSecurityRealm();
             try {
                 if(securityRealm.getAllUsers().size() == 1) {
-                    HudsonPrivateSecurityRealm.Details details = securityRealm.loadUserByUsername2(SetupWizard.initialSetupAdminUserName);
+                    HudsonPrivateSecurityRealm.Details details = securityRealm.load(SetupWizard.initialSetupAdminUserName);
                     FilePath iapf = getInitialAdminPasswordFile();
                     if (iapf.exists()) {
                         if (details.isPasswordCorrect(iapf.readToString().trim())) {