Original request: SecurityListener should be notified when ApiTokenFilter approves or denies a REST authentication attempt. Jesse Glick says that the logic should be reviewed from scratch.
- Investigate how it works
- Send events when it does not
- We cover REST, CLI, Web UI...
- Data should be forwarded to SecurityListener and logged here: https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
- Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
- Nice2have: Review Javadoc of the engine and ensure it is still correct
- Nice2have: Document the login flow in Wiki (or Jenkins.io developer docs)
- What should happen:
- When you login, you get event
- When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116
Not in scope:
- SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API