-
Bug
-
Resolution: Fixed
-
Critical
Once this plugin is configured, I am no longer able to hit the notifyCommit URLs. Instead I get "This request requires HTTP authentication."
Based on the git plugin documentation, these URLs should not be secured:
this URL doesn't require authentication even for secured Jenkins, because the server doesn't directly use anything that the client is sending. It runs polling to verify that there is a change, before it actually starts a build.
source: https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin#GitPlugin-Pushnotificationfromrepository
I believe both svn and mercurial also support push notifications. I'm not aware of any other Jenkins URLs that need to be excluded from the security filter, but others may exist.
[JENKINS-30116] NegSecFilter should not secure notifyCommit URLs
Code changed in jenkins
User: FarmGeek4Life
Path:
src/main/java/com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.java
http://jenkins-ci.org/commit/negotiate-sso-plugin/fc41c77b51e842c1a635815db93970e0ca9cc2e0
Log:
[Fix JENKINS-30116] NegSecFilter should not secure notifyCommit URLs
git, mercurial, and subversion all support push notifications to trigger
polling and builds. These are not supposed to be secured, so make the
filter bypass authentication when "/notifyCommit" is in the requested URL.
https://issues.jenkins-ci.org/browse/JENKINS-30116
Compare: https://github.com/jenkinsci/negotiate-sso-plugin/compare/b0ffaa33361f...fc41c77b51e8
Fix will be present in 1.1; if you otherwise want to test it sooner, you can download a snapshot here:
https://jenkins.ci.cloudbees.com/job/plugins/job/negotiate-sso-plugin/7/org.jenkins-ci.plugins$NegotiateSSO/
Still need to investigate the Jenkins version dependency problem, 1.1 will be released when I get that done, which will probably be around Sept. 5
Bryson Gibbons
added a comment - - edited Fix will be present in 1.1; if you otherwise want to test it sooner, you can download a snapshot here:
https://jenkins.ci.cloudbees.com/job/plugins/job/negotiate-sso-plugin/7/org.jenkins-ci.plugins$NegotiateSSO/
Still need to investigate the Jenkins version dependency problem, 1.1 will be released when I get that done, which will probably be around Sept. 5 
pmv
added a comment - Before you release - we also use the cli to issue commands to Jenkins. Do you happen to know if that will work with your filter, or will it have the same problem? I should be able to get this tested before the 5th, but just wanted to give you a heads up.
pmv
added a comment - Before you release - we also use the cli to issue commands to Jenkins. Do you happen to know if that will work with your filter, or will it have the same problem? I should be able to get this tested before the 5th, but just wanted to give you a heads up. 
Going to do a path check for "/notifyCommit" in the request URL, since that seems to be the easiest way to do it:
Git: <jenkins root>/git/notifyCommit?... (https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin)
Mercurial: <jenkins root>/mercurial/notifyCommit?... (https://wiki.jenkins-ci.org/display/JENKINS/Mercurial+Plugin)
Subversion: <jenkins root>/subversion/<repo UUID>/notifyCommit?... (https://wiki.jenkins-ci.org/display/JENKINS/Subversion+Plugin)
I would prefer a solid "Path must look/start like this", but the only way to do that with the subversion path is with a regular expression, and those can become hard to maintain...