Allows explicit login with auth.type = HTTP*
When auth.type = HTTP or HTTP_LDAP, allows the configuration of an explicit login URL in order to trigger the authentication process of the front-end SSO system. URL and link name are customizable using: * auth.loginUrl * auth.loginText Configuring a server with auth.loginUrl allows an unknown user not yet logged in to perform anonymous browsing of Gerrit, as allowed by other auth.type methods. Change-Id: I52aa7950fdf0ba23a55a7d4eb5f1f1e3f6be6b38
This commit is contained in:
		 Luca Milanesio
					Luca Milanesio
				
			
				
					committed by
					
						 Shawn Pearce
						Shawn Pearce
					
				
			
			
				
	
			
			
			 Shawn Pearce
						Shawn Pearce
					
				
			
						parent
						
							da16183775
						
					
				
				
					commit
					5185b040d3
				
			| @@ -255,6 +255,26 @@ The "Sign In" link will send users directly to this URL. | |||||||
| HTTP header to trust the username from, or unset to select HTTP basic | HTTP header to trust the username from, or unset to select HTTP basic | ||||||
| or digest authentication.  Only used if `auth.type` is set to HTTP. | or digest authentication.  Only used if `auth.type` is set to HTTP. | ||||||
|  |  | ||||||
|  | [[auth.loginUrl]]auth.loginUrl:: | ||||||
|  | + | ||||||
|  | URL to redirect a browser to after the end-user has clicked on the | ||||||
|  | login link in the upper right corner. Only used if 'auth.type' was set | ||||||
|  | to HTTP or HTTP_LDAP. | ||||||
|  | Organizations using an enterprise single-sign-on solution may want to | ||||||
|  | redirect the browser to the SSO product's sign-in page for completing the | ||||||
|  | login process and validate their credentials. | ||||||
|  | + | ||||||
|  | If set, Gerrit allows to access anonymously until the end-user performs the login | ||||||
|  | and then provides a trusted identity through the HTTP header. | ||||||
|  | If not set, Gerrit requires the HTTP header with a trusted identity | ||||||
|  | otherwise returns the error page LoginRedirect.html. | ||||||
|  |  | ||||||
|  | [[auth.loginText]]auth.loginText:: | ||||||
|  | + | ||||||
|  | Text displayed in the loginUrl link. Only used if 'auth.loginUrl' was set. | ||||||
|  | + | ||||||
|  | If not set, the 'Sign In' text is used. | ||||||
|  |  | ||||||
| [[auth.logoutUrl]]auth.logoutUrl:: | [[auth.logoutUrl]]auth.logoutUrl:: | ||||||
| + | + | ||||||
| URL to redirect a browser to after the end-user has clicked on the | URL to redirect a browser to after the end-user has clicked on the | ||||||
|   | |||||||
| @@ -26,6 +26,8 @@ import java.util.Set; | |||||||
| public class GerritConfig implements Cloneable { | public class GerritConfig implements Cloneable { | ||||||
|   protected String registerUrl; |   protected String registerUrl; | ||||||
|   protected String registerText; |   protected String registerText; | ||||||
|  |   protected String loginUrl; | ||||||
|  |   protected String loginText; | ||||||
|   protected String httpPasswordUrl; |   protected String httpPasswordUrl; | ||||||
|   protected String reportBugUrl; |   protected String reportBugUrl; | ||||||
|  |  | ||||||
| @@ -48,6 +50,22 @@ public class GerritConfig implements Cloneable { | |||||||
|   protected int suggestFrom; |   protected int suggestFrom; | ||||||
|   protected int changeUpdateDelay; |   protected int changeUpdateDelay; | ||||||
|  |  | ||||||
|  |   public String getLoginUrl() { | ||||||
|  |     return loginUrl; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   public void setLoginUrl(final String u) { | ||||||
|  |     loginUrl = u; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   public String getLoginText() { | ||||||
|  |     return loginText; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   public void setLoginText(String signinText) { | ||||||
|  |     this.loginText = signinText; | ||||||
|  |   } | ||||||
|  |  | ||||||
|   public String getRegisterUrl() { |   public String getRegisterUrl() { | ||||||
|     return registerUrl; |     return registerUrl; | ||||||
|   } |   } | ||||||
|   | |||||||
| @@ -729,8 +729,6 @@ public class Gerrit implements EntryPoint { | |||||||
|       whoAmI(cfg.getAuthType() != AuthType.CLIENT_SSL_CERT_LDAP); |       whoAmI(cfg.getAuthType() != AuthType.CLIENT_SSL_CERT_LDAP); | ||||||
|     } else { |     } else { | ||||||
|       switch (cfg.getAuthType()) { |       switch (cfg.getAuthType()) { | ||||||
|         case HTTP: |  | ||||||
|         case HTTP_LDAP: |  | ||||||
|         case CLIENT_SSL_CERT_LDAP: |         case CLIENT_SSL_CERT_LDAP: | ||||||
|           break; |           break; | ||||||
|  |  | ||||||
| @@ -759,6 +757,14 @@ public class Gerrit implements EntryPoint { | |||||||
|           }); |           }); | ||||||
|           break; |           break; | ||||||
|  |  | ||||||
|  |         case HTTP: | ||||||
|  |         case HTTP_LDAP: | ||||||
|  |           if (cfg.getLoginUrl() != null) { | ||||||
|  |             final String signinText = cfg.getLoginText() == null ? C.menuSignIn() : cfg.getLoginText(); | ||||||
|  |             menuRight.add(anchor(signinText, cfg.getLoginUrl())); | ||||||
|  |           } | ||||||
|  |           break; | ||||||
|  |  | ||||||
|         case LDAP: |         case LDAP: | ||||||
|         case LDAP_BIND: |         case LDAP_BIND: | ||||||
|         case CUSTOM_EXTENSION: |         case CUSTOM_EXTENSION: | ||||||
|   | |||||||
| @@ -94,10 +94,14 @@ class GerritConfigProvider implements Provider<GerritConfig> { | |||||||
|         config.setHttpPasswordUrl(cfg.getString("auth", null, "httpPasswordUrl")); |         config.setHttpPasswordUrl(cfg.getString("auth", null, "httpPasswordUrl")); | ||||||
|         break; |         break; | ||||||
|  |  | ||||||
|       case CLIENT_SSL_CERT_LDAP: |  | ||||||
|       case DEVELOPMENT_BECOME_ANY_ACCOUNT: |  | ||||||
|       case HTTP: |       case HTTP: | ||||||
|       case HTTP_LDAP: |       case HTTP_LDAP: | ||||||
|  |         config.setLoginUrl(cfg.getString("auth", null, "loginurl")); | ||||||
|  |         config.setLoginText(cfg.getString("auth", null, "logintext")); | ||||||
|  |         break; | ||||||
|  |  | ||||||
|  |       case CLIENT_SSL_CERT_LDAP: | ||||||
|  |       case DEVELOPMENT_BECOME_ANY_ACCOUNT: | ||||||
|       case OPENID: |       case OPENID: | ||||||
|       case OPENID_SSO: |       case OPENID_SSO: | ||||||
|         break; |         break; | ||||||
|   | |||||||
| @@ -88,7 +88,7 @@ public class WebModule extends FactoryModule { | |||||||
|     switch (authConfig.getAuthType()) { |     switch (authConfig.getAuthType()) { | ||||||
|       case HTTP: |       case HTTP: | ||||||
|       case HTTP_LDAP: |       case HTTP_LDAP: | ||||||
|         install(new HttpAuthModule()); |         install(new HttpAuthModule(authConfig)); | ||||||
|         break; |         break; | ||||||
|  |  | ||||||
|       case CLIENT_SSL_CERT_LDAP: |       case CLIENT_SSL_CERT_LDAP: | ||||||
|   | |||||||
| @@ -14,13 +14,22 @@ | |||||||
|  |  | ||||||
| package com.google.gerrit.httpd.auth.container; | package com.google.gerrit.httpd.auth.container; | ||||||
|  |  | ||||||
|  | import com.google.gerrit.server.config.AuthConfig; | ||||||
| import com.google.inject.servlet.ServletModule; | import com.google.inject.servlet.ServletModule; | ||||||
|  |  | ||||||
| /** Servlets and support related to HTTP authentication. */ | /** Servlets and support related to HTTP authentication. */ | ||||||
| public class HttpAuthModule extends ServletModule { | public class HttpAuthModule extends ServletModule { | ||||||
|  |   private final AuthConfig authConfig; | ||||||
|  |  | ||||||
|  |   public HttpAuthModule(final AuthConfig authConfig) { | ||||||
|  |     this.authConfig = authConfig; | ||||||
|  |   } | ||||||
|  |  | ||||||
|   @Override |   @Override | ||||||
|   protected void configureServlets() { |   protected void configureServlets() { | ||||||
|  |     if (authConfig.getLoginUrl() == null) { | ||||||
|       filter("/").through(HttpAuthFilter.class); |       filter("/").through(HttpAuthFilter.class); | ||||||
|  |     } | ||||||
|     serve("/login", "/login/*").with(HttpLoginServlet.class); |     serve("/login", "/login/*").with(HttpLoginServlet.class); | ||||||
|   } |   } | ||||||
| } | } | ||||||
|   | |||||||
| @@ -40,6 +40,7 @@ public class AuthConfig { | |||||||
|   private final boolean enableRunAs; |   private final boolean enableRunAs; | ||||||
|   private final boolean userNameToLowerCase; |   private final boolean userNameToLowerCase; | ||||||
|   private final boolean gitBasicAuth; |   private final boolean gitBasicAuth; | ||||||
|  |   private final String loginUrl; | ||||||
|   private final String logoutUrl; |   private final String logoutUrl; | ||||||
|   private final String openIdSsoUrl; |   private final String openIdSsoUrl; | ||||||
|   private final List<String> openIdDomains; |   private final List<String> openIdDomains; | ||||||
| @@ -57,6 +58,7 @@ public class AuthConfig { | |||||||
|       throws XsrfException { |       throws XsrfException { | ||||||
|     authType = toType(cfg); |     authType = toType(cfg); | ||||||
|     httpHeader = cfg.getString("auth", null, "httpheader"); |     httpHeader = cfg.getString("auth", null, "httpheader"); | ||||||
|  |     loginUrl = cfg.getString("auth", null, "loginurl"); | ||||||
|     logoutUrl = cfg.getString("auth", null, "logouturl"); |     logoutUrl = cfg.getString("auth", null, "logouturl"); | ||||||
|     openIdSsoUrl = cfg.getString("auth", null, "openidssourl"); |     openIdSsoUrl = cfg.getString("auth", null, "openidssourl"); | ||||||
|     openIdDomains = Arrays.asList(cfg.getStringList("auth", null, "openIdDomain")); |     openIdDomains = Arrays.asList(cfg.getStringList("auth", null, "openIdDomain")); | ||||||
| @@ -124,6 +126,10 @@ public class AuthConfig { | |||||||
|     return httpHeader; |     return httpHeader; | ||||||
|   } |   } | ||||||
|  |  | ||||||
|  |   public String getLoginUrl() { | ||||||
|  |     return loginUrl; | ||||||
|  |   } | ||||||
|  |  | ||||||
|   public String getLogoutURL() { |   public String getLogoutURL() { | ||||||
|     return logoutUrl; |     return logoutUrl; | ||||||
|   } |   } | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user