-
Bug
-
Resolution: Fixed
-
Major
In JENKINS-30116, I identified that the notifyCommit URLs should not have security applied to them. I was worried there were other URLs that shouldn't be secured either, but was unable to find a list on the Jenkins wiki.
Today I noticed that if you click the 'Delegate to servlet container' option in the security settings, it provides a full list:
These URLs (and URLs starting with these prefixes plus a /) should require no authentication. If possible, configure your container to pass these requests straight to Jenkins without requiring login.
cli
git
jnlpJars
subversion
whoAmI
Can you add this to the changes you made in JENKINS-30116?
[JENKINS-32197] More URLs that NegSecFilter should not secure
Code changed in jenkins
User: FarmGeek4Life
Path:
src/main/java/com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.java
http://jenkins-ci.org/commit/negotiate-sso-plugin/36840afbb3de49155c8e1b2b92bfb2602413bf57
Log:
[FIXED JENKINS-32197] Add paths listed by the delegate servlet container to the "non-authenticated" paths
Improved the checking mechanism
Also added "bitbucket-hook"
Compare: https://github.com/jenkinsci/negotiate-sso-plugin/compare/e2aadda93a73...36840afbb3de
I added the specified paths, as well as "bitbucket-hook" to the list of paths not authenticated. I also changed the mechanism that checks for these paths, since I was previously testing for
*/notifyCommit*
which could be dangerous (a carefully named build job?).
Bryson Gibbons
added a comment - - edited I added the specified paths, as well as "bitbucket-hook" to the list of paths not authenticated. I also changed the mechanism that checks for these paths, since I was previously testing for
*/notifyCommit*
which could be dangerous (a carefully named build job?). 
Thank you; I have seen a few others beyond these as I have looked at other plugins that were possibly of interest in my instance; these are definitely not in the ones I found, nor had I seen them elsewhere.