[JENKINS-33770] Setup wizard login trivial to circumvent

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: core
Labels:
- 2.0
- 2.0-beta
- 2.0-planned

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
Bits in 2.0 RC Downloads

The /securityRealm/firstUser is accessible and allows creating an account while the setup wizard is active, but nobody has logged in so far.

Also, really weird UI brokenness since / is still the setup wizard.

links to

PR 2170

Daniel Beck created issue - 2016-03-24 03:06

Keith Zantow added a comment - 2016-03-24 15:56 - edited

You're still required to enter a security token, yes?

After entering the security token, you're logged in as an admin user. Navigating away is something we're not restricting, really (recall, it was... until the approach was changed significantly after the initial implementation).

Keith Zantow added a comment - 2016-03-24 15:56 - edited You're still required to enter a security token, yes? After entering the security token, you're logged in as an admin user. Navigating away is something we're not restricting, really (recall, it was... until the approach was changed significantly after the initial implementation).

Daniel Beck added a comment - 2016-03-24 16:00

You're still required to enter a security token, yes?

No.

In fact, I discovered this because some weird forward brought me right from "Jenkins is loading" to that page. Unfortunately I haven't been able to reproduce it since.

Daniel Beck added a comment - 2016-03-24 16:00 You're still required to enter a security token, yes? No. In fact, I discovered this because some weird forward brought me right from "Jenkins is loading" to that page. Unfortunately I haven't been able to reproduce it since.

Keith Zantow made changes - 2016-03-24 20:04

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Keith Zantow made changes - 2016-03-24 20:04

Assignee

New: Keith Zantow [ kzantow ]

Daniel Beck made changes - 2016-03-25 02:52

Epic Link

New: ~~JENKINS-33810~~ [ 169285 ]

Keith Zantow made changes - 2016-03-25 16:00

Remote Link

New: This issue links to "PR 2170 (Web Link)" [ 14119 ]

Daniel Beck made changes - 2016-03-25 16:09

Labels

Original: 2.0 2.0-beta

New: 2.0 2.0-beta 2.0-planned

gus reiber added a comment - 2016-03-29 19:18

I am reproducing this bug testing 33828. Possibly you have a fix on a different branch, but if not, I can repro easily on the 33828 branch.

gus reiber added a comment - 2016-03-29 19:18 I am reproducing this bug testing 33828. Possibly you have a fix on a different branch, but if not, I can repro easily on the 33828 branch.

Keith Zantow added a comment - 2016-03-29 19:21

gusreiber I have different branches for each of these tickets, the fix for this is on branch: ~~JENKINS-33770~~-security-token-not-always-required

Keith Zantow added a comment - 2016-03-29 19:21 gusreiber I have different branches for each of these tickets, the fix for this is on branch: JENKINS-33770 -security-token-not-always-required

Assignee:: Keith Zantow

Reporter:: Daniel Beck

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2016-03-24 03:06

Updated:: 2016-03-31 14:01

Resolved:: 2016-03-31 14:01

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Keith Zantow added a comment - 2016-03-24 15:56, Edited by Keith Zantow - 2016-03-24 15:57

Expand comment: Keith Zantow added a comment - 2016-03-24 15:56, Edited by Keith Zantow - 2016-03-24 15:57

Collapse comment: Daniel Beck added a comment - 2016-03-24 16:00

Expand comment: Daniel Beck added a comment - 2016-03-24 16:00

Collapse comment: gus reiber added a comment - 2016-03-29 19:18

Expand comment: gus reiber added a comment - 2016-03-29 19:18

Collapse comment: Keith Zantow added a comment - 2016-03-29 19:21

Expand comment: Keith Zantow added a comment - 2016-03-29 19:21

People

Dates