[JIRA] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Thanks for the response and thoughts. It might make sense to use bytecode-compatability-transformer since there are probably plugins that we don't know about. I'm not very familiar with this project. Is it something you would be able to take on? Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release That's quite a bit more APIs that I expected. Given a lot of it is just repackaging I'm wondering if we can automate pull requests to Spring Security using https://github.com/Netflix-Skunkworks/rewrite Would this be an option you would consider? Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release What are the APIs that are being used by plugins? Is there also a count for each API that is in use? This might help me to understand the current state of things. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release It's possible, but it would be using completely different security systems which wouldn't work. I'm wondering if we can Bridge the SecurityContextHolder and SecurityContext types if that would allow them to work simultaneously. This would depend on what public APIs are being used by external plugins. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release I'm still willing to try and help with this update but would like some guidance from the Jenkins team on how to ensure we can get something merged. Can anyone provide the list of the API's in Acegi that are being used by external plugins? Perhaps that would allow us to figure out a shim jar. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Daniel Beck Thanks for the response and the link to the tester. I'm not sure I'm willing to commit to the work unless the work will be merged. I am even willing to entertain the idea of fixing the plugins that would break. However, I want to ensure that my work will not be in vain. Cheers, Rob Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch edited a comment on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Thanks for the response [~integer]. It is a real shame if that is the case [~kohsuke] is this just a matter of resources? Is there anything I can do (i.e. get a complete Pull Request together) to get this back into 2.0? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Thanks for the response Kanstantsin Shautsou. Kohsuke Kawaguchi is this just a matter of resources? Is there anything I can do (i.e. get a complete Pull Request together) to get this back into 2.0? Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Kanstantsin Shautsou I see that the 2.0 label was removed. Is there anything that can be done to get this added back to 2.0? I'd even be willing to work more on the PR if I can get some guidance. Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release I'm very glad to see this issue getting traction! I'd like to formally extend an offer to provide any support with the migration from a Spring Security perspective. Please let me know if you have any questions. Regards, Rob Winch (Spring Security Lead) Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch commented on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release Kanstantsin Shautsou Thank you for the response. Rob Winch will it be possible to create Proxy or backward compatible migration? Unfortunately, I don't think there is a way to make the transition completely seamless (i.e. using a Proxy). There may be steps we can provide to make the transition easier. However, this is difficult to determine at this point since I'm not familiar with the Jenkins code base. If not, could you provide some PR to core (there is a spring-security branch but with 0 work). Although not clear, my initial intention was to answer any concrete questions that arose when someone else put the PR together. I put together a branch at rwinch/jeknins/tree/security that updates to the latest Spring and Spring Security. At the moment, mvn -Plight-test test passes, but a full build fails. One of the issues appears to be that there are external libraries that will need updating as well (i.e. matrix-auth). There is also some clean up that needs to be done (i.e. whitespace changes that should be removed, etc). I'm not certain I will get time to spend on this again in the near future. Perhaps someone can take what I have put together and polish it? Cheers, Rob Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Title: Message Title Rob Winch edited a comment on JENKINS-5303 Re: Upgrade Acegi Security to the latest Spring Security release [~integer] Thank you for the response.{quote}Rob Winch will it be possible to create Proxy or backward compatible migration?{quote}Unfortunately, I don't think there is a way to make the transition completely seamless (i.e. using a Proxy). There may be steps we can provide to make the transition easier. However, this is difficult to determine at this point since I'm not familiar with the Jenkins code base.{quote}If not, could you provide some PR to core (there is a spring-security branch but with 0 work).{quote}Although not clear, my initial intention was to answer any concrete questions that arose when someone else put the PR together.I put together a branch at [rwinch/jeknins/tree/security|https://github.com/rwinch/jenkins/tree/security] that updates to the latest Spring and Spring Security. At the moment, {{mvn -Plight-test test}} passes, but a full build fails. One of the issues appears to be that there are external libraries that will need updating as well (i.e. matrix-auth). There is also some clean up that needs to be done (i.e. whitespace changes that should be removed, etc).I'm not certain I will get time to spend on this again in the near future. Perhaps someone can take what I have put together and polish it?Cheers,Rob PS: At this point I'm fully relying on the tests to catch any errors. it is possible there are logic errors in my changes as I went through them rather abruptly Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-5303) Upgrade Acegi Security to the latest Spring Security release
Rob Winch commented on JENKINS-5303 Upgrade Acegi Security to the latest Spring Security release Acegi Security's last commit was over 7 years ago. There have been many CVE's reported and fixed within the maintained versions of Spring Security. For this reason I believe this issue should be considered a high priority. Note that it appears that the Hudson team has already updated to Spring Security 3.2.x. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups Jenkins Issues group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.