Hi,
Thank you very much for your help Stephen. It's been really helpful. I
looked at the plugin and this is how they capture the current user and
authenticate him:
Cause.UserIdCause cause = getRootUserIdCause(item);
if (cause != null) {
User u = User.get(cause.getUserId(), false, Collections.emptyMap());
if (u == null) {
return Jenkins.ANONYMOUS;
}
return u.impersonate();
}
return null;
Then impersonate the user who started the build. That returns a
org.acegisecurity.Authentication. It is progress.
It gives me the Jenkins user. But problem is I don't think it is the Web
container user, and is even related to it. (That would mean a Jenkins admin
could impersonate any user from the Realm and contact any other
application, which doesn't make any sense).
My next question is:
- Do you think there is any way to get the Web Container user (Subject),
knowing that it looks like the thread doesn't get the authentication
(com.ibm.websphere.security.auth.WSSubject.getCallerSubject() returns null)
- Or do you think it is possible to convert the Jenkins Authentication
to a Web Container Subject. I did create a Subject from the Jenkins
Authentication (which is a Principal) but of course it didn't work since it
is not related to the Web Container authentication and I had access
forbidden. I doubt it because Jenkins can impersonate anyone, and maybe it
will work only for the current user...
I don;t really know where to look next.
Thank you very much.
Le mercredi 27 mai 2015 09:25:02 UTC+2, Stephen Connolly a écrit :
>
> You may want to look at the (very un-obvious named) Authorize Project
> plugin.
>
> That lets projects build with the identity of the user that triggered the
> build.
>
> It's not going to get you all you want, but should get you closer. You'll
> probably need to write an authorization strategy to capture the JAAS
> subject and store it as a UserProperty
>
> On Tuesday, May 26, 2015, Guillaume Delory <[email protected] <javascript:>>
> wrote:
>
>> Hi everyone,
>>
>> I'm running Jenkins in WebSphere 8.5 to manage authentication. It works
>> fine and I can get the JAAS Subject in the Script Console by doing:
>> println com.ibm.websphere.security.auth.WSSubject.getCallerSubject()
>>
>> I also wrote a plugin that adds a simple custom step (extending the
>> Builder class). I would like to use this plugin to contact some application
>> also running in WAS. To do this I need to get the caller Subject as I did
>> in the console. However, the code above in the perform method returns null.
>> I guess Jenkins runs the step in a different thread without pushing the
>> JAAS Subject.
>>
>> Is there any way (by configuration or programmatically) to force Jenkins
>> to push the Subject to the build step so I can use it? Or maybe a different
>> way to get the caller Subject from the plugin?
>>
>> Thank you very much for your help.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-dev/b9be9c04-cb9a-4fdd-a7cc-903d88d78db9%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/jenkinsci-dev/b9be9c04-cb9a-4fdd-a7cc-903d88d78db9%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> Sent from my phone
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/9480017a-cd57-40c4-97bc-29989677bc8f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
