commit a9aff088 [SECURITY-49] introduced a change in signature generation for the remember me token in jenkins/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java:
String expectedTokenSignature = MAC.mac(userDetails.getUsername() + ":" + tokenExpiryTime + ":" + "N/A" + ":" + getKey());
This code is used to VERIFY a cookie sent to Jenkins. The new verification process seems fine, but the change in code is NOT reflected in org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.class . loginSuccess, where remember me cookies are created and sent to the user. Here, the old signature generation is still being used:
String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key);
I suggest either @Overriding TokenBasedRememberMeServices.loginSuccess in /jenkins-core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java as well to rely on TokenBasedRememberMeServices2.makeTokenSignature, or revert to the old md5 signature.
Any comments?
Same Problem occurred in my side...
What's the latest status for this topic?!