I would have a question here to the Jenkins Core developers who have been involved in migrating from Acegi Security to Spring Security:
As Spring Security publishes all the authentication events as subclasses of the AbstractAuthenticationEvent <https://github.com/spring-projects/spring-security/blob/5.6.2/core/src/main/java/org/springframework/security/authentication/event/AbstractAuthenticationEvent.java> through the Spring ApplicationEventPublisher <https://github.com/spring-projects/spring-framework/blob/v5.3.18/spring-context/src/main/java/org/springframework/context/ApplicationEventPublisher.java>, *did we consider making the Jenkins SecurityListener <https://javadoc.jenkins.io/jenkins/security/SecurityListener.html> an adapter of the Spring ApplicationEventPublisher <https://github.com/spring-projects/spring-framework/blob/v5.3.18/spring-context/src/main/java/org/springframework/context/ApplicationEventPublisher.java> rather than to hook the "SecurityListener.fireXxx" in different places of Jenkins with the risk to miss some of the events?* Cyrille On Wednesday, April 13, 2022 at 10:55:32 AM UTC+2 Cyrille Le Clerc wrote: > Dear jenkins-dev community, > > Is there anyone interested in helping me solve this gap in Jenkins APIs to > enable better security on, the Software Supply Chain process? > > Cyrille > On Monday, March 21, 2022 at 5:16:27 PM UTC+1 Cyrille Le Clerc wrote: > >> Dear all, >> >> The Jenkins OpenTelemetry Plugin is now sending Jenkins authentication >> audit logs to external observability backends with the goal for routing >> these logs to SIEM solutions that will be able to detect abnormal >> behaviours (see documentation here >> <https://github.com/jenkinsci/opentelemetry-plugin/blob/master/docs/security.md#jenkins-security-logs> >> ). >> >> To implement this authentication audit trail, we implemented a Jenkins >> SecurityListener >> <https://javadoc.jenkins.io/jenkins/security/SecurityListener.html> >> (source code here: AuditingSecurityListener.java#L120 >> <https://github.com/jenkinsci/opentelemetry-plugin/blob/d978ac10c2ac01ef1ef93071aa160995ff5c4882/src/main/java/io/jenkins/plugins/opentelemetry/security/AuditingSecurityListener.java#L120>) >> >> but the SecurityListener#failedLogin(username) doesn't provide any >> mechanism to retrieve the remoteIpAddr (Stapler#getCurrentRequest() returns >> null) . >> >> I looked at the code of other Jenkins plugins such as the Jenkins >> AuditTrail Plugin <https://plugins.jenkins.io/audit-trail/> and couldn't >> find a solution. >> >> *Is there way in in Jenkins plugins to listen to failed logins and to >> retrieve the remoteIpAddr? If not, did the community consider adding this >> capability as it's commonly used by security tools to detect anomalous ?* >> >> Cyrille >> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/99dcafeb-02c2-44b7-846e-d6a032be40e5n%40googlegroups.com.
