[JENKINS-55698] SSO + CRSF causes 403 errors - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Minor
Resolution: Fixed
Component/s: kerberos-sso-plugin
Labels:
- CSRF
- SSO
Environment:
Jenkins 2.160
Kerberos SSO plugin 1.4

Similar Issues:

Show
Released As:
1.5

Description

We are running jenkins behind an apache proxy

Since the latest update, the kerberos sso plugin will cause issues related to the CSRF security policy that is enabled by default.

If we only disable the Kerberos SSO, and log in manually using LDAP credentials, everything works as expected.

If we only disable the CSRF Protection, and login using SSO, everything works as expected

(besides a remote API call, that requires CSRF to be enabled)

But when both CSRF and SSO are enabled, the automatic login works perfectly.

But the moment you try to do a form submit, like starting a job, we will get a 403 - Forbidden error.

This has been working perfectly for a few years. So a recent update broke this.

Perhaps the SSO plugin needs an update, related to another recent change in how CSRF is handled ?

Attachments

Issue Links

is duplicated by

JENKINS-55974 "No valid crumb was included in the request" when running behind nginx (since recent update)

Resolved

Activity

Ascending order - Click to sort in descending order

Koen Dierckx added a comment - 2019-01-21 14:58

https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix

This is the cause, by adding the jenkins.security.seed.UserSeedProperty.disableUserSeed to true, everything works again.

Hopefully this helps in updating the plugin

Koen Dierckx added a comment - 2019-01-21 14:58 https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix This is the cause, by adding the jenkins.security.seed.UserSeedProperty.disableUserSeed to true, everything works again. Hopefully this helps in updating the plugin

Peter Nordquist added a comment - 2019-01-21 19:26

In my instance with kerberos-sso 1.2, the incompatibility with SECURITY-901 manifests as a redirect loop. I've been unable to upgrade to 1.4 due to ~~JENKINS-44484~~ but I'll test it on a separate instance.

Peter Nordquist added a comment - 2019-01-21 19:26 In my instance with kerberos-sso 1.2, the incompatibility with SECURITY-901 manifests as a redirect loop. I've been unable to upgrade to 1.4 due to JENKINS-44484 but I'll test it on a separate instance.

Oliver Gondža added a comment - 2019-02-04 06:26

Thank you both for addressing this issue. I am getting the PR verification ready to test against affected Jenkins version in https://github.com/jenkinsci/kerberos-sso-plugin/pull/12

Oliver Gondža added a comment - 2019-02-04 06:26 Thank you both for addressing this issue. I am getting the PR verification ready to test against affected Jenkins version in https://github.com/jenkinsci/kerberos-sso-plugin/pull/12

Oliver Gondža added a comment - 2019-02-04 09:39

I have merged the PR even though the tests against 1.150.2 are not passing yet. It is the only way for you to get the CI builds on never Jenkins version.

Oliver Gondža added a comment - 2019-02-04 09:39 I have merged the PR even though the tests against 1.150.2 are not passing yet. It is the only way for you to get the CI builds on never Jenkins version.

Oliver Gondža added a comment - 2019-02-14 13:00

Fix released as 1.5

Oliver Gondža added a comment - 2019-02-14 13:00 Fix released as 1.5

People

Assignee:: Peter Nordquist

Reporter:: Koen Dierckx

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019-01-21 11:54

Updated:: 2019-02-15 20:46

Resolved:: 2019-02-14 13:00