-
Bug
-
Resolution: Won't Fix
-
Minor
Trigger builds remotely/authentication token is a textbox. If you use per-project based security and enabled extended read, the token isn't obfuscated.
Could you turn the textbox to a password field?
I understand it is a corner case but the authentication token should be considered a password IMO.
[JENKINS-23072] turn the authentication token from a textbox to a password field
Fathi Boudra
created issue -
Fathi Boudra
made changes -
| Labels | New: authentication remote trigger |
| Resolution | New: Won't Fix [ 2 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Fathi Boudra
added a comment - yes, it isn't a bug it's a feature request.
like any password box in jenkins, I don't want to get the current value.
your workaround doesn't scale with a thousand jobs.
Fathi Boudra
added a comment - yes, it isn't a bug it's a feature request.
like any password box in jenkins, I don't want to get the current value.
your workaround doesn't scale with a thousand jobs. | Workflow | Original: JNJira [ 155394 ] | New: JNJira + In-Review [ 195187 ] |
Not a bug.
If it were a password box, there would be no way to get its current value, so that's impractical. (This isn't a use case with passwords to external systems, so there's no problem there)
Workaround: Don't assign Extended Read permissions on remotely triggerable projects to untrusted users. Trigger the job in question differently e.g. as downstream job from a non-ExtendedReadable, but remotely triggerable job, or using real HTTP auth (username + API token).