-
Bug
-
Resolution: Fixed
-
Blocker
-
Jenkins Version 1.584
BasicAuthentication in combination with a sessionId is broken - after the first login following page refreshs fail with bad credentials.
Here my analysis (I commented this on the corresponding commit on github as well):
The BasicHeaderProcessor expects a not null Authentication Object
From BasicHeaderProcessor:
Authentication auth = a.authenticate(req, rsp, username, password);
if (auth!=null) {
LOGGER.log(FINE, "Request authenticated as
by
{1}", new Object[]
{auth,a});
success(req, rsp, chain, auth);
return;
}
From BasicHeaderRealPasswordAuthenticator:
if (!authenticationIsRequired(username))
return null;
It seems that you need to return the existing authentication Object from BasicHeaderRealPasswordAuthenticator and not null if the current authentication is already valid...?
Anyway since we are running jenkins through a proxy with basicAuth the current version is completely broken for us...
Corresponding Github commit: https://github.com/jenkinsci/jenkins/commit/b2a98f6bc6924d1fd25f7da583888c2f4f36d83c
- is related to
-
JENKINS-25180 Unable to authenticate using LDAP after upgrading to 1.576 or higher
-
- Closed
-
- links to
Code changed in jenkins
User: Christof Schoell
Path:
core/src/main/java/jenkins/security/BasicHeaderRealPasswordAuthenticator.java
test/src/test/java/jenkins/security/BasicHeaderProcessorTest.java
http://jenkins-ci.org/commit/jenkins/0176b6d902faeec7bff63eb34ce16e2f70062035
Log:
JENKINS-25144return authentication object instead of null if authentication is not
required - otherwise valid login fails with basic authentication