Thanks for your quick patch and instant response.
From my testing, when no global security enabled, it works and tags have been added. But if enable the global security, it will pop out the errors like this:
=== Slave ===
$ java -jar slave.jar -jnlpUrl http://ec2-XX-XX-XX-xX.compute-1.amazonaws.com:8080/computer/XXXXXX-XXXXXX/slave-agent.jnlp
java.io.IOException: Failed to load http://ec2-XX-XX-XX-XX.compute-1.amazonaws.com:8080/computer/XXXXXX-XXXXXX/slave-agent.jnlp: 403 Forbidden
Waiting 10 seconds before retry
=== Master ===
INFO: While serving http://ec2-XX-XX-XX-XX.compute-1.amazonaws.com:8080/computer/XXXXXX-XXXXXX/slave-agent.jnlp: hudson.security.AccessDeniedException2: anonymous is missing the Slave/Connect permission
Besides, I also enabled the "Slave/Connect" permission for anonymous users. It still cannot work with 403 forbidden.
Then, I created one normal user with all permission, and use "-auth xxx:xxx" as a parameter in the command line. It seems that Master did not recognize the user and still consider it as anonymous.
So I am not sure whether the code has this logic now.