-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Major
-
Component/s: reverse-proxy-auth-plugin
-
None
-
Environment:Jenkins 2.90
reverse-proxy-auth-plugin 1.6.2
After configuring the reverse-proxy-auth-plugin, users are not authenticated in Jenkins.
it appears that ReverseProxySecurityRealm is correctly identifying the user from the following logs:
PM FINE org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm USER LOGGED IN: tad@simple.com
However, DefaultReverseProxyAuthenticator does not appear to receive the username:
PMÂ INFOÂ org.jenkinsci.plugins.reverse_proxy_auth.auth.DefaultReverseProxyAuthenticator authenticate DefaultReverseProxyAuthenticator::authenticate ==> null to [Lorg.acegisecurity.GrantedAuthority;@6d8c3052
We are not using LDAP authentication.
Here is the relevant section of config.xml:
<securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.6.2">
<proxyTemplate/>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase></userSearchBase>
<userSearch>uid={0}</userSearch>
<updateInterval>15</updateInterval>
<forwardedUser>X-Simple-Internal-User</forwardedUser>
<retrievedUser>vanvlack@simple.com</retrievedUser>
<headerGroups></headerGroups>
<headerGroupsDelimiter>|</headerGroupsDelimiter>
<disableLdapEmailResolver>true</disableLdapEmailResolver>
<displayNameLdapAttribute></displayNameLdapAttribute>
<emailAddressLdapAttribute></emailAddressLdapAttribute>
</securityRealm>
What's interesting is the persistence of "retrievedUser", which might mean a leak of transient state.
Attached is a sanitized dump of /whoAmI.
