-
Bug
-
Resolution: Fixed
-
Blocker
-
Jenkins Version 1.584
BasicAuthentication in combination with a sessionId is broken - after the first login following page refreshs fail with bad credentials.
Here my analysis (I commented this on the corresponding commit on github as well):
The BasicHeaderProcessor expects a not null Authentication Object
From BasicHeaderProcessor:
Authentication auth = a.authenticate(req, rsp, username, password);
if (auth!=null) {
LOGGER.log(FINE, "Request authenticated as
by
{1}", new Object[]
{auth,a});
success(req, rsp, chain, auth);
return;
}
From BasicHeaderRealPasswordAuthenticator:
if (!authenticationIsRequired(username))
return null;
It seems that you need to return the existing authentication Object from BasicHeaderRealPasswordAuthenticator and not null if the current authentication is already valid...?
Anyway since we are running jenkins through a proxy with basicAuth the current version is completely broken for us...
Corresponding Github commit: https://github.com/jenkinsci/jenkins/commit/b2a98f6bc6924d1fd25f7da583888c2f4f36d83c
- is related to
-
JENKINS-25180 Unable to authenticate using LDAP after upgrading to 1.576 or higher
-
- Closed
-
- links to
[JENKINS-25144] Basic Authentication in combination with Session is broken
Priority | Original: Critical [ 2 ] | New: Blocker [ 1 ] |
Component/s | New: core [ 15593 ] | |
Component/s | Original: security [ 15508 ] | |
Assignee | New: Christof Schoell [ cschoell ] | |
Labels | Original: Authentication BasicAuth | New: Authentication BasicAuth security |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Remote Link | New: This issue links to "PR-1427 (Web Link)" [ 11805 ] |
Status | Original: In Progress [ 3 ] | New: Open [ 1 ] |
Labels | Original: Authentication BasicAuth security | New: Authentication BasicAuth regression security |
Added a pull request with a fix for this bug on github:
https://github.com/jenkinsci/jenkins/pull/1427