Merge pull request #162 from fbelzunc/JENKINS-70492

fbelzunc · web-flow · commit adc03ce0f20f · 2023-01-25T17:19:28.000+01:00
[JENKINS-70492] Only trigger SecurityListener on real authentication username/password
diff --git a/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java b/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java
@@ -43,7 +43,6 @@
 import hudson.security.GroupDetails;
 import hudson.security.SecurityRealm;
 import hudson.security.UserMayOrMayNotExistException;
-import jenkins.security.SecurityListener;
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.GrantedAuthority;
@@ -253,15 +252,13 @@ protected UserDetails retrieveUser(final String username,final  UsernamePassword
 
                         LOGGER.log(Level.FINE, "Login successful: {0} dn={1}", new Object[] {username, dn});
 
-                        UserDetails userDetails = new ActiveDirectoryUserDetail(
+                        return new ActiveDirectoryUserDetail(
                             username, "redacted",
                             !isAccountDisabled(usr),
                             true, true, true,
                             groups.toArray(new GrantedAuthority[0]),
                             getFullName(usr), getEmailAddress(usr), getTelephoneNumber(usr)
                         ).updateUserInfo();
-                        SecurityListener.fireAuthenticated(userDetails);
-                        return userDetails;
                     } finally {
                         col.disposeAll();
                         COM4J.removeListener(col);
diff --git a/src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java b/src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java
@@ -39,6 +39,7 @@
 import hudson.util.ListBoxModel;
 import hudson.util.Secret;
 import jenkins.model.Jenkins;
+import jenkins.security.SecurityListener;
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
@@ -891,7 +892,9 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
 
     @Override
     protected UserDetails authenticate(String username, String password) throws AuthenticationException {
-        return getAuthenticationProvider().retrieveUser(username,new UsernamePasswordAuthenticationToken(username,password));
+        UserDetails userDetails = getAuthenticationProvider().retrieveUser(username,new UsernamePasswordAuthenticationToken(username,password));
+        SecurityListener.fireAuthenticated(userDetails);
+        return userDetails;
     }
 
     private static final Logger LOGGER = Logger.getLogger(ActiveDirectorySecurityRealm.class.getName());
diff --git a/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java b/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
@@ -37,7 +37,6 @@
 
 import javax.naming.NameNotFoundException;
 
-import jenkins.security.SecurityListener;
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.AuthenticationServiceException;
 import org.acegisecurity.BadCredentialsException;
@@ -221,9 +220,7 @@ protected UserDetails retrieveUser(final String username, final UsernamePassword
 
             for (ActiveDirectoryDomain domain : domains) {
                 try {
-                    UserDetails userDetails = retrieveUser(username, authentication, domain);
-                    SecurityListener.fireAuthenticated(userDetails);
-                    return userDetails;
+                    return retrieveUser(username, authentication, domain);
                 } catch (NamingException ne) {
                     if (userMatchesInternalDatabaseUser(username)) {
                         LOGGER.log(Level.WARNING, String.format("Looking into Jenkins Internal Users Database for user %s", username));
@@ -235,9 +232,7 @@ protected UserDetails retrieveUser(final String username, final UsernamePassword
                         }
                         if (hudsonPrivateSecurityRealm.isPasswordCorrect(password)) {
                             LOGGER.log(Level.INFO, String.format("Falling back into the internal user %s", username));
-                            UserDetails userDetails = new ActiveDirectoryUserDetail(username, "redacted", true, true, true, true, hudsonPrivateSecurityRealm.getAuthorities(), internalUser.getDisplayName(), "", "");
-                            SecurityListener.fireAuthenticated(userDetails);
-                            return userDetails;
+                            return new ActiveDirectoryUserDetail(username, "redacted", true, true, true, true, hudsonPrivateSecurityRealm.getAuthorities(), internalUser.getDisplayName(), "", "");
                         } else {
                             LOGGER.log(Level.WARNING, String.format("Credential exception trying to authenticate against %s domain", domain.getName()), ne);
                             errors.add(new MultiCauseUserMayOrMayNotExistException("We can't tell if the user exists or not: " + username, notFound));
