Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14843

OpenID SSO should use POST to submit details to google apps endpoint

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When you have more than roughly 33 google accounts (cross domains) able to access your Jenkins installation you hit googles maximum URL length when the browser is instructed to redirect to the OpenID endpoint.

      According to http://stackoverflow.com/questions/4957435/got-414-request-uri-too-large-from-google-when-authenticating-using-spring-secur the correct thing to do is POST the data from the browser rather than redirect with it all in the query string.

      I have half an implementation of this here. I will update this if I ever get it working correctly.

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/openid/impl/TeamsExtension.java
          http://jenkins-ci.org/commit/openid-plugin/e5bf3e92ca99e095565510ea8504b3c0debba99f
          Log:
          JENKINS-14843

          We can't merge the proposed patch as is, and we should switch to POST if that's what has to happen.
          In the mean time, at least provide an escape hatch to allow people to bypass the team extension.

          Run Jenkins with -Dhudson.plugins.openid.impl.TeamsExtension.disable=true to disable the team extension.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/openid/impl/TeamsExtension.java http://jenkins-ci.org/commit/openid-plugin/e5bf3e92ca99e095565510ea8504b3c0debba99f Log: JENKINS-14843 We can't merge the proposed patch as is, and we should switch to POST if that's what has to happen. In the mean time, at least provide an escape hatch to allow people to bypass the team extension. Run Jenkins with -Dhudson.plugins.openid.impl.TeamsExtension.disable=true to disable the team extension.
          Hide
          johnrengelman John Engelman added a comment -

          Just tried to disable using the property and there is a missing '.' in the code that looks up the property. Using the malformed -Dhudson.plugins.openid.impl.TeamsExtensiondisable=true does work though.

          Show
          johnrengelman John Engelman added a comment - Just tried to disable using the property and there is a missing '.' in the code that looks up the property. Using the malformed -Dhudson.plugins.openid.impl.TeamsExtensiondisable=true does work though.
          Hide
          realyze Tomas Brambora added a comment -

          John E. is right.

          Show
          realyze Tomas Brambora added a comment - John E. is right.
          Hide
          rogerhu rogerhu added a comment -

          It almost be declared before the .jar file is invokved, so for Ubuntu it needs to be defined as JAVA_ARGS in /etc/default/jenkins:

          JAVA_ARGS="-Dhudson.plugins.openid.impl.TeamsExtensiondisable=true"
          JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT"

          Show
          rogerhu rogerhu added a comment - It almost be declared before the .jar file is invokved, so for Ubuntu it needs to be defined as JAVA_ARGS in /etc/default/jenkins: JAVA_ARGS="-Dhudson.plugins.openid.impl.TeamsExtensiondisable=true" JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT"
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          src/main/java/hudson/plugins/openid/OpenIdExtension.java
          src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java
          http://jenkins-ci.org/commit/openid-plugin/e0c69e3cf3367eca7bff4e6279540e97455f42c0
          Log:
          JENKINS-14843 Allow extensions to determine whether it is appropriate for specific security realms

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: src/main/java/hudson/plugins/openid/OpenIdExtension.java src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java http://jenkins-ci.org/commit/openid-plugin/e0c69e3cf3367eca7bff4e6279540e97455f42c0 Log: JENKINS-14843 Allow extensions to determine whether it is appropriate for specific security realms

            People

            Assignee:
            kohsuke Kohsuke Kawaguchi
            Reporter:
            blongden blongden
            Votes:
            7 Vote for this issue
            Watchers:
            14 Start watching this issue

              Dates

              Created:
              Updated: