Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25144

Basic Authentication in combination with Session is broken

      BasicAuthentication in combination with a sessionId is broken - after the first login following page refreshs fail with bad credentials.

      Here my analysis (I commented this on the corresponding commit on github as well):
      The BasicHeaderProcessor expects a not null Authentication Object

      From BasicHeaderProcessor:

      Authentication auth = a.authenticate(req, rsp, username, password);
      if (auth!=null) {
      LOGGER.log(FINE, "Request authenticated as

      {0}

      by

      {1}

      ", new Object[]

      {auth,a}

      );
      success(req, rsp, chain, auth);
      return;
      }
      From BasicHeaderRealPasswordAuthenticator:

      if (!authenticationIsRequired(username))
      return null;
      It seems that you need to return the existing authentication Object from BasicHeaderRealPasswordAuthenticator and not null if the current authentication is already valid...?

      Anyway since we are running jenkins through a proxy with basicAuth the current version is completely broken for us...

      Corresponding Github commit: https://github.com/jenkinsci/jenkins/commit/b2a98f6bc6924d1fd25f7da583888c2f4f36d83c

          [JENKINS-25144] Basic Authentication in combination with Session is broken

          Christof Schoell created issue -
          Christof Schoell made changes -
          Priority Original: Critical [ 2 ] New: Blocker [ 1 ]

          Added a pull request with a fix for this bug on github:

          https://github.com/jenkinsci/jenkins/pull/1427

          Christof Schoell added a comment - Added a pull request with a fix for this bug on github: https://github.com/jenkinsci/jenkins/pull/1427
          Oleg Nenashev made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: security [ 15508 ]
          Assignee New: Christof Schoell [ cschoell ]
          Labels Original: Authentication BasicAuth New: Authentication BasicAuth security
          Oleg Nenashev made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Christof Schoell made changes -
          Remote Link New: This issue links to "PR-1427 (Web Link)" [ 11805 ]

          Christof Schoell added a comment - - edited

          FYI: I rolled out the builded war file with the fix (PR-1427) for jenkins on our test infrastructure and the authentication problems are gone.

          Christof Schoell added a comment - - edited FYI: I rolled out the builded war file with the fix (PR-1427) for jenkins on our test infrastructure and the authentication problems are gone.
          Christof Schoell made changes -
          Status Original: In Progress [ 3 ] New: Open [ 1 ]

          Stopped progress: Waiting for Pull Request to be merged (Dunno wether this fits into the usual workflow...?)

          Christof Schoell added a comment - Stopped progress: Waiting for Pull Request to be merged (Dunno wether this fits into the usual workflow...?)
          Jesse Glick made changes -
          Labels Original: Authentication BasicAuth security New: Authentication BasicAuth regression security

            oleg_nenashev Oleg Nenashev
            cschoell Christof Schoell
            Votes:
            8 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: