Script Security Realm

This plugin allows you to use a user-written custom script to authenticate the username and password. This is useful if you need to plug into a custom authentication scheme, but don't want to write your own plugin.

Plugin Information

Plugin ID script-realm
Latest Release 1.6-h-2
Latest Release Date May 6, 2014
Plugin Central Plugin Central 3.2
Sources Github
Support Eclipse Hudson Forum
Issue Tracking Eclipse Bugzilla
Hudson Core (latest) 3.3.3

This plugin now supports group resolving for a user loging in. One can define two scripts:

  • script to authenticate the user.
    Each time the authentication is attemped (which is once per session), the specified script will be invoked with the username in the 'U' environment variable and the password in the 'P' environment variable. If the script returns exit code 0, the authentication is considered successful, and otherwise failure.
  • a second script to resolve the groups for a user loging in.
    The specified script will be invoked with the username in the 'U' environment variable.
    If the script returns exit code 0, the output will be tokenized by the delimiter (default: ',') to create a groups with each token. 

Changelog

Version 1.3 (Jan 16, 2011)

Version 1.2 (Nov 7, 2010)

  • adding support for groups

Version 1.0 (Nov 5, 2009)

  • Initial release

Labels:

plugin-user plugin-user Delete
Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.
  1. Jun 09, 2011

    Jeff Tickle says:

    I had some trouble with the MySQL authentication plugin, so I just wrote this sc...

    I had some trouble with the MySQL authentication plugin, so I just wrote this script and used the Script Security Realm plugin instead.  Figured I'd post it here in case anyone else could use such a thing:

     #!/bin/bash
    
    MYSQLHOST="mysqlhost"
    MYSQLUSER="mysqluser"
    MYSQLPASS="mysqlpass"
    MYSQLDB="mysqldb"
    
    # Note: this query must return a single count entry where 1 (one) is the only valid response
    # An result other than 1 is treated as an invalid login.  Also, you should salt your passwords.
    AUTHQUERY="select count(*) from user where login='$U' and pass=sha1('$P');"
    
    RESULT=$(mysql -h"$MYSQLHOST" -u"$MYSQLUSER" -p"$MYSQLPASS" "$MYSQLDB" -e "$AUTHQUERY" -B --skip-column-names)
    
    [ "$RESULT" == "1" ] && exit 0
    
    exit 1
    
  2. Aug 01, 2011

    Bernhard Grünewaldt says:

    In my setup I have an Apache HTTPD with mod_proxy + basic_auth + mod_ssl running...

    In my setup I have an Apache HTTPD with mod_proxy + basic_auth + mod_ssl running. On the same machine runs the tomcat.

    I wanted hudson to use the basic auth. So I wrote this:

    custom-passwd-auth.sh
    #!/bin/bash
    
    #
    # Authenticate against Apache Webserver 2.2 htpasswdfile
    # with MD5 encoding.
    #
    # @see http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
    # @Author Bernhard Grünewaldt
    # @Date 2011-08-31
    
    # CONFIG
    HTPASSWDFILE="/etc/svn-auth-conf"
    
    # Variables from Plugin
    BASICAUTHUSER=$U
    BASICAUTHPASS=$P
    
    
    # Get the salt as described here
    # Example: hans:$apr1$9CyFi...$C4xmHlLPWn8cEZ59VEVPD0
    # Info: "the salt is the 8 characters between the second and third $"
    SALT=`awk -F "$" ' /'$BASICAUTHUSER'/ {print $3}' $HTPASSWDFILE`
    
    # generate the custom md5 hash with the salt and the password
    CUSTOMMD5=`openssl passwd -apr1 -salt $SALT $BASICAUTHPASS`
    
    # make validate variable. Should now be the exact same line as
    # in the htpasswd file. Otherwise password was wrong.
    VALIDATE=$BASICAUTHUSER:$CUSTOMMD5
    
    # exit 0 for password match
    if [ `grep $VALIDATE $HTPASSWDFILE | wc -l` == 1 ]
    then
            echo "valid!"
            exit 0;
    fi
    
    # exit 1 for wrong password
    echo "invalid!"
    exit 1
    

    Tested with Hudson 2.1.0, Apache Webserver 2.2.x, Apache Tomcat 6.0.x