We have a jenkins server and a gitlab server hosted in our internal network and everything works fine. Recently we made our jenkins server available from the public internet and therefore enabled Matrix based security in the global security settings in jenkins. Everything still works fine. I do not have to change the web hook url within the gitlab repository.

But that is not what i have expected. So now anyone who knows the public jenkins url can trigger the a job by calling the web hook url and passing the wright data. My thought was that this anonymous calls would be blocked. I know that other plugins need a username and password/token to work with secured jenkins systems. So did i miss something here or is it expected behavior?