Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55697

NegotiateSSO Plugin is not compatible with SECURITY-901 FIX (Upgrading to 2.160/2.150.2)

XMLWordPrintable

    • NegotiateSSO-plugin 1.2

      Since I've updated to 2.150.2 the Jenkins main page displays that I'm logged in,
      but it behaves as I'm unlogged for any further actions/pages.

      Workaround:
      Set the Java system property
      jenkins.security.seed.UserSeedProperty.disableUserSeed to true

      https://jenkins.io/doc/upgrade-guide/2.150/#upgrading-to-jenkins-lts-2-150-2

          [JENKINS-55697] NegotiateSSO Plugin is not compatible with SECURITY-901 FIX (Upgrading to 2.160/2.150.2)

          Bryson Gibbons added a comment -

          I will need to take a careful look at this. If you have the time, can you double-check that the Active Directory plugin does not exhibit similar problems? This will be the first item to check, since negotiate-sso-plugin relies on the existing security realm (it does not contain its own security realm).

          Notably, negotiate-sso-plugin does call one of the recommended methods (source), however the current version has not been fully released (current release uses reflection to call the method). I need to do a general update and a new release, and see if that resolves the issue first, but testing will take time, which I don't have much available.

          Bryson Gibbons added a comment - I will need to take a careful look at this. If you have the time, can you double-check that the Active Directory plugin does not exhibit similar problems? This will be the first item to check, since negotiate-sso-plugin relies on the existing security realm (it does not contain its own security realm). Notably, negotiate-sso-plugin does call one of the recommended methods ( source ), however the current version has not been fully released (current release uses reflection to call the method). I need to do a general update and a new release, and see if that resolves the issue first, but testing will take time, which I don't have much available.

          Damian slee added a comment -

          I am also seeing this issue in latest version.   let me know if you need someone to test the latest plugin.

          Damian slee added a comment - I am also seeing this issue in latest version.   let me know if you need someone to test the latest plugin.

          Damian slee added a comment -

          the Kerberos SSO plugin has been updated to be compatible with 2.150.2

          https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix

          Damian slee added a comment - the Kerberos SSO plugin has been updated to be compatible with 2.150.2 https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix

          Bryson Gibbons added a comment -

          I think I have a workable (but unconventional) solution for this. Incorporating the fix as used in the KerberosSSO plugin is not possible, since I didn't have both the user info and request available in the same method; however, the dependency that provides the authentication handling (Waffle-JNA) wraps the request using a HttpServletRequestWrapper implementation that does allow another filter to capture that information. I have implemented an update that works this way, and it appears to work without issue on the Jenkins instance I use; I'm waiting for the Jenkins-CI Jenkins instance to build that pull request now.

          Bryson Gibbons added a comment - I think I have a workable (but unconventional) solution for this. Incorporating the fix as used in the KerberosSSO plugin is not possible, since I didn't have both the user info and request available in the same method; however, the dependency that provides the authentication handling (Waffle-JNA) wraps the request using a HttpServletRequestWrapper implementation that does allow another filter to capture that information. I have implemented an update that works this way, and it appears to work without issue on the Jenkins instance I use; I'm waiting for the Jenkins-CI Jenkins instance to build that pull request now.

          Bryson Gibbons added a comment -

          So, if some of you want to also test the changes, you should be able to download a snapshot build from https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fnegotiatesso-plugin/detail/PR-2/1/artifacts (I don't know when the artifacts will expire)

          Bryson Gibbons added a comment - So, if some of you want to also test the changes, you should be able to download a snapshot build from https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fnegotiatesso-plugin/detail/PR-2/1/artifacts  (I don't know when the artifacts will expire)

          Damian slee added a comment -

          i've done quick test of the artifact on the latest war.   Seems to be working after manual updating the NegotiateSSO.hpi

           

          thanks,

           

          Damian slee added a comment - i've done quick test of the artifact on the latest war.   Seems to be working after manual updating the NegotiateSSO.hpi   thanks,  

          Bryson Gibbons added a comment -

          Given that no further comments have been made, I have released this update as NegotiateSSO 1.2

          Bryson Gibbons added a comment - Given that no further comments have been made, I have released this update as NegotiateSSO 1.2

          ethorsa added a comment -

          I recently updated two Jenkins instances hosted on Windows with Negotiate SSO 1.3 and both work fine.

          ethorsa added a comment - I recently updated two Jenkins instances hosted on Windows with Negotiate SSO 1.3 and both work fine.

            farmgeek4life Bryson Gibbons
            marci Sebők Márton László
            Votes:
            3 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: