[JIRA] [security] (JENKINS-25144) Basic Authentication in combination with Session is broken

[c.scho...@gmail.com (JIRA)]

Christof Schoell created JENKINS-25144 Basic Authentication in combination with Session is broken Issue Type: Bug Assignee: Unassigned Components: security Created: 14/Oct/14 1:42 PM Description: BasicAuthentication in combination with a sessionId is broken - after the first login following page refreshs fail with bad credentials. Here my analysis (I commented this on the corresponding commit on github as well): The BasicHeaderProcessor expects a not null Authentication Object From BasicHeaderProcessor: Authentication auth = a.authenticate(req, rsp, username, password); if (auth!=null) { LOGGER.log(FINE, "Request authenticated as {0} by {1}", new Object[]{auth,a}); success(req, rsp, chain, auth); return; } >From BasicHeaderRealPasswordAuthenticator: if (!authenticationIsRequired(username)) return null; It seems that you need to return the existing authentication Object from BasicHeaderRealPasswordAuthenticator and not null if the current authentication is already valid...? Anyway since we are running jenkins through a proxy with basicAuth the current version is completely broken for us... Corresponding Github commit: https://github.com/jenkinsci/jenkins/commit/b2a98f6bc6924d1fd25f7da583888c2f4f36d83c Environment: Jenkins Version 1.584 Project: Jenkins Labels: Authentication BasicAuth Priority: Critical Reporter: Christof Schoell

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.