Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Minor
-
Resolution: Fixed
-
Component/s: authorize-project-plugin, core
-
Labels:
-
Environment:Jenkins >=2.150.2, authorize-project-plugin v1.3.0
-
Similar Issues:
-
Released As:Jenkins 2.210
Description
Actual behaviour
As user "A" when configuring authorization
using the "Run as Specific User" strategy to run a job as user "B"
after successful authentication with the password of user "B"
user "A" is logged out.
Expected behaviour
User "A" is still logged in.
Root Cause Analysis
This issue is present starting with Jenkins 2.150.2 which implemented new security measures for user sessions (see changelog https://jenkins.io/changelog-stable/#v2.150.2). It seems that the below call from here invalidates the current user session:
Jenkins.getActiveInstance().getSecurityRealm().getSecurityComponents().manager.authenticate(
new UsernamePasswordAuthenticationToken(userId, password)
);
I've isolated this problem to the code in UserSeedSecurityListener.authenticated() which will overwrite the current session's user seed with the authorized user's seed instead. This seed is not restored after the build completes (or ever), so essentially, you end up with the authorize user's session which doesn't work.