[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Title: Message Title dogfood commented on JENKINS-25144 Re: Basic Authentication in combination with Session is broken Integrated in jenkins_main_trunk #4292 JENKINS-25144 (Revision 7169a3916528ac95eada2cf13e3fbd7e50ae6387) [FIXED JENKINS-25144] Revisiting the attempted fix in the previous commit. (Revision be34b675f0f9cb59a67c09dbe42364d34c3eaff1) Result = UNSTABLE ogondza : 7169a3916528ac95eada2cf13e3fbd7e50ae6387 Files : core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java ogondza : be34b675f0f9cb59a67c09dbe42364d34c3eaff1 Files : core/src/main/java/jenkins/security/BasicHeaderProcessor.java core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
SCM/JIRA link daemon commented on JENKINS-25144 Basic Authentication in combination with Session is broken Code changed in jenkins User: Christof Schoell Path: core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java http://jenkins-ci.org/commit/jenkins/7169a3916528ac95eada2cf13e3fbd7e50ae6387 Log: JENKINS-25144 return authentication object instead of null if authentication is not required - otherwise valid login fails with basic authentication (cherry picked from commit 0176b6d902faeec7bff63eb34ce16e2f70062035) This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
SCM/JIRA link daemon commented on JENKINS-25144 Basic Authentication in combination with Session is broken Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/security/BasicHeaderProcessor.java core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java http://jenkins-ci.org/commit/jenkins/be34b675f0f9cb59a67c09dbe42364d34c3eaff1 Log: [FIXED JENKINS-25144] Revisiting the attempted fix in the previous commit. IIUC, the issue here is that the request in question contains both a valid session cookie AND basic authentication header, and that path results in a failure because BasicHeaderProcessor expects one of BasicHeaderAuthenticators to validate the basic authentication header (without knowing that there's already a valid Authentication object that came from the HTTP session, yet no BasicHeaderAuthenticator actually processes this because BasicHeaderRealPasswordAuthenticator backs away from doing that. I think the corect fix is for BasicHeaderRealPasswordAuthenticator to get rid of authenticationIsRequired check. This check instead belongs to BasicHeaderProcessor, where it should be used to check if any BasicHeaderAuthenticator should be consulted or not. The problem with having this logic in BasicHeaderRealPasswordAuthenticator is that this is just an implementation of an extension point, and thus it needs to be removable. As it stands right now in this fix, if this impl is removed, JENKINS-25144 will be back again. (cherry picked from commit 9e81b8e4feebceef94d117b757952c965bf91c61) This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Oleg Nenashev commented on JENKINS-25144 Basic Authentication in combination with Session is broken It makes sense to discuss the exception on the project meeting This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Daniel Beck commented on JENKINS-25144 Basic Authentication in combination with Session is broken 1.580.2 RC is due this week, so this won't be soaked enough. Inclusion in .3 is more likely. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Florian Hug commented on JENKINS-25144 Basic Authentication in combination with Session is broken Thanks a lot for fixing this issue! Could this fix please be included in the LTS version 1.580.2? The current LTS is completely useless for us... Thanks a lot! This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
dogfood commented on JENKINS-25144 Basic Authentication in combination with Session is broken Integrated in jenkins_main_trunk #3800 JENKINS-25144 (Revision 0176b6d902faeec7bff63eb34ce16e2f70062035) [FIXED JENKINS-25144] Revisiting the attempted fix in the previous commit. (Revision 9e81b8e4feebceef94d117b757952c965bf91c61) Result = SUCCESS kohsuke : 0176b6d902faeec7bff63eb34ce16e2f70062035 Files : test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java kohsuke : 9e81b8e4feebceef94d117b757952c965bf91c61 Files : core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java core/src/main/java/jenkins/security/BasicHeaderProcessor.java This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
SCM/JIRA link daemon commented on JENKINS-25144 Basic Authentication in combination with Session is broken Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/security/BasicHeaderProcessor.java core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java http://jenkins-ci.org/commit/jenkins/9e81b8e4feebceef94d117b757952c965bf91c61 Log: [FIXED JENKINS-25144] Revisiting the attempted fix in the previous commit. IIUC, the issue here is that the request in question contains both a valid session cookie AND basic authentication header, and that path results in a failure because BasicHeaderProcessor expects one of BasicHeaderAuthenticators to validate the basic authentication header (without knowing that there's already a valid Authentication object that came from the HTTP session, yet no BasicHeaderAuthenticator actually processes this because BasicHeaderRealPasswordAuthenticator backs away from doing that. I think the corect fix is for BasicHeaderRealPasswordAuthenticator to get rid of authenticationIsRequired check. This check instead belongs to BasicHeaderProcessor, where it should be used to check if any BasicHeaderAuthenticator should be consulted or not. The problem with having this logic in BasicHeaderRealPasswordAuthenticator is that this is just an implementation of an extension point, and thus it needs to be removable. As it stands right now in this fix, if this impl is removed, JENKINS-25144 will be back again. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
SCM/JIRA link daemon commented on JENKINS-25144 Basic Authentication in combination with Session is broken Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/src/main/java/jenkins/security/BasicHeaderProcessor.java core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java http://jenkins-ci.org/commit/jenkins/ada8432fc57b0293cc7c28777e64f8a72d413409 Log: JENKINS-25144 Merge pull request #1427 Compare: https://github.com/jenkinsci/jenkins/compare/24c5e5e44038...ada8432fc57b This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
SCM/JIRA link daemon resolved JENKINS-25144 as Fixed Basic Authentication in combination with Session is broken Change By: SCM/JIRA link daemon (07/Nov/14 6:28 PM) Status: Open Resolved Resolution: Fixed This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
SCM/JIRA link daemon commented on JENKINS-25144 Basic Authentication in combination with Session is broken Code changed in jenkins User: Christof Schoell Path: core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java http://jenkins-ci.org/commit/jenkins/0176b6d902faeec7bff63eb34ce16e2f70062035 Log: JENKINS-25144 return authentication object instead of null if authentication is not required - otherwise valid login fails with basic authentication This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken Ok thanks! This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Oleg Nenashev commented on JENKINS-25144 Basic Authentication in combination with Session is broken AFAIK we're waiting for Kohsuke's review. I'll ping him in IRC This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell assigned JENKINS-25144 to Oleg Nenashev Basic Authentication in combination with Session is broken Change By: Christof Schoell (07/Nov/14 2:40 PM) Assignee: Oleg Nenashev This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken So do we have to create a company internal fork of jenkins now, because nobody fixes this bug? LTS is broken as well after all... I really would prefer not to though. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Florian Hug commented on JENKINS-25144 Basic Authentication in combination with Session is broken For us this is a blocker since we are using the RTC Jazz (Ration Team Concert) plugin to trigger builds directly via the version control system. Since we have to use authentication (company policy) the version control system authenticates against Jenkins (using basic auth) and starts the build using its individual parameters. Since basic auth is broken, no build can be triggered via the version control system and this LTS version is completely useless for us. We would really appreciate a quick fix within Jenkins LTS. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken So is anyone going to pull the fix - it only needs to be merged after all? This is really annoying to us, since we would like to update our jenkins to a recent version and can't ... This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell assigned JENKINS-25144 to Unassigned Basic Authentication in combination with Session is broken Change By: Christof Schoell (03/Nov/14 10:16 AM) Assignee: Kohsuke Kawaguchi This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken Yep definitely convenient - we have a proxy application which adds a menu for all our tools on top aside from doing the registration and login into jenkins (SSO) This bug makes it impossible to use though... This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Joachim Knoke commented on JENKINS-25144 Basic Authentication in combination with Session is broken I ran into this and the fix of Christof Schoell works like a charm. Please merge it, if there are no side effects that may have been overseen, so we don´t need to fix this manually all the time. Thanks in advance. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
uncletall commented on JENKINS-25144 Basic Authentication in combination with Session is broken Actually, the Apache config I posted allows for something like a single sign-on. Apache authenticates the user and passes the credentials on to the other servers. This way I only need to log in once and have automatic access to Jenkins, Gerrit, MediaWiki and MantisBT. This way I do not need to log in for every single site and the users are manage centrally using LDAP. Very convenient. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Daniel Beck commented on JENKINS-25144 Basic Authentication in combination with Session is broken No single sign-on though. Everything needs to authenticate. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
uncletall commented on JENKINS-25144 Basic Authentication in combination with Session is broken There were 89K+ downloads for the LDAP plugin in Sep-2014. I guess indeed that this should be quite common. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
andreasmandel commented on JENKINS-25144 Basic Authentication in combination with Session is broken Is there an alternative way? I need a 2nd component to perform authentication (against an LDAP server) and single sign on for other tools accessible on this server. All is nicely done by using a Apache with mod proxy and mod_authnz_ldap. I guess this is quite common, at least for larger setups? This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
uncletall commented on JENKINS-25144 Basic Authentication in combination with Session is broken Yes, you are right. Maybe this is not as common as I thought it was. Just that I accidentally upgraded Jenkins while upgrading Ubuntu using apt-get upgrade and ended up spending two days fixing my mistake. I would like other people to be spared the trouble. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Daniel Beck commented on JENKINS-25144 Basic Authentication in combination with Session is broken Right, proxy-based auth. I thought this was basic auth as used for API access. Sorry about the confusion. Note that it's well possible to use Jenkins based auth behind a free-for-all reverse proxy, so this is really a blocker for all reverse proxy setups is a bit too much. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell edited a comment on JENKINS-25144 Basic Authentication in combination with Session is broken You would have to remove the JSESSIONID set by Jenkins (or tomcat really) from the cookie header so you do not have a session any more. This isn't really practicable but I guess it could be possible... On the other hand this would remove any functionality from Jenkins which requires a session (e.g. icon sizes in the summary view) This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken Nope you can't really do anything about this by config. You would have to remove the JSESSIONID set by Jenkins (or tomcat really) from the cookie so you do not have a session any more. On the other hand this would remove any functionality from Jenkins which requires a session (e.g. icon sizes in the summary view) This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
uncletall
commented on JENKINS-25144
Basic Authentication in combination with Session is broken
This is my server config. Is there anything I can change to workaround this bug? I am not doing anything with a Session ID, at least not that I am aware of.
AuthBasicProvider ldap
AuthType Basic
AuthName "example.com"
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://example.com/ou=users,dc=example,dc=com?uid?one"
Require valid-user
RequestHeader set REMOTE_USER %{REMOTE_USER}s
AllowEncodedSlashes On
RewriteEngine On
Order deny,allow
Allow from all
Jenkins
ProxyPass http://192.168.1.2:8080/ci/
ProxyPassReverse /
Order deny,allow
Allow from all
Header edit Location ^http://example.com/ci/ https://example.com/ci/
Gerrit
ProxyPass /r/ http://192.168.1.1:8081/r/ nocanon
Wiki
ProxyPass /wiki/ https://192.168.1.3/wiki/
ProxyPassReverse /wiki/ https://192.168.1.3/wiki/
ProxyPass /w/ https://192.168.1.3/w/
ProxyPassReverse /w/ https://192.168.1.3/w/
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken A Session is created automatically and the User/Password is sent with every request through the proxy. That's when the problem occurs. Without any Session Id (which you would have to filter out inside the proxy) the functionality of jenkins is reduced as well... This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Daniel Beck
commented on JENKINS-25144
Basic Authentication in combination with Session is broken
Please have a look at this
I'm sure he'll get right to it after taking care of the other 385 issues assigned to him. (IOW, it's usually more effective to bring issues to someone's attention via other channels.)
WARNING on the main page telling people not to install the latest version
You can vote on the changelog ("Community rating") and tell people about this bug.
TBH I think you're overestimating the impact of this issue. Isn't it easily circumvented by sending User/Password with every request instead of relying on Session ID?
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
uncletall commented on JENKINS-25144 Basic Authentication in combination with Session is broken Failing to fix this, there should be at least a WARNING on the main page telling people not to install the latest version if the are running behind a reverse proxy. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell assigned JENKINS-25144 to Kohsuke Kawaguchi Basic Authentication in combination with Session is broken Please have a look at this - would be great if this bug would be fixed any time soon, so anyone with a proxy solution can use a recent version of jenkins. Thanks! Change By: Christof Schoell (27/Oct/14 8:26 PM) Assignee: Kohsuke Kawaguchi This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken If you look at the history, it seems that you assigned yourself Or there are other strange things happening with this bug lol This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
uncletall commented on JENKINS-25144 Basic Authentication in combination with Session is broken Related to: https://issues.jenkins-ci.org/browse/JENKINS-25180 This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Jesse Glick updated JENKINS-25144 Basic Authentication in combination with Session is broken Change By: Jesse Glick (16/Oct/14 12:56 PM) Labels: Authentication BasicAuth regression security This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Jesse Glick updated JENKINS-25144 Basic Authentication in combination with Session is broken Change By: Jesse Glick (16/Oct/14 12:56 PM) Labels: Authentication BasicAuth lts-candidate regression security This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken Stopped progress: Waiting for Pull Request to be merged (Dunno wether this fits into the usual workflow...?) This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell stopped work on JENKINS-25144 Basic Authentication in combination with Session is broken Change By: Christof Schoell (15/Oct/14 12:30 PM) Status: In Progress Open This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell edited a comment on JENKINS-25144 Basic Authentication in combination with Session is broken FYI: I rolled out the builded war file with the fix (PR-1427) for jenkins on our test infrastructure and the authentication problems are gone. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Christof Schoell commented on JENKINS-25144 Basic Authentication in combination with Session is broken FYI: I rolled out the builded war file with the fix (PR-1427) for jenkins on our test infrastructure and the login problems are gone. This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Oleg Nenashev started work on JENKINS-25144 Basic Authentication in combination with Session is broken Change By: Oleg Nenashev (14/Oct/14 7:40 PM) Status: Open In Progress This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [core] (JENKINS-25144) Basic Authentication in combination with Session is broken
Oleg Nenashev updated JENKINS-25144 Basic Authentication in combination with Session is broken Change By: Oleg Nenashev (14/Oct/14 7:39 PM) Labels: Authentication BasicAuth security Assignee: Christof Schoell Component/s: core Component/s: security This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
