-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
-
Jenkins SAML SSO Release 2.0.1
Core still bundles a patched version of the deprecated Commons HttpClient 3.x library for use by plugins. This frequently confuses security scanners and is a maintenance liability. For this reason, we would like to remove this library from Jenkins core in jenkinsci/jenkins#7312.
A systematic search of the plugin corpus was conducted in October 2022; this search revealed that a number of plugins have usages of Commons HttpClient 3.x. For compatibility with a future version of Jenkins core in which this library is removed, these plugins should either migrate their usage of Commons HttpClient 3.x to the Apache HttpComponents Client 4.x API plugin or Java 11 native HTTP client; or otherwise they should declare an explicit dependency on the Commons HttpClient 3.x API plugin.
This plugin's identified usage of Commons HttpClient 3.x is as follows:
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/auth/AuthScope via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/auth/AuthScope via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/DefaultHttpMethodRetryHandler via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/Header via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/Header via org/opensaml/util/resource/HttpResource.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HostConfiguration via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HostConfiguration via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpClient via org/opensaml/saml2/metadata/provider/FileBackedHTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpClient via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpClient via org/opensaml/util/resource/HttpResource.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpClient via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpClient via org/opensaml/ws/soap/client/http/HttpSOAPClient.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpConnectionManager via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpMethod via org/opensaml/util/resource/HttpResource$ConnectionClosingInputStream.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpState via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/HttpState via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/methods/ByteArrayRequestEntity via org/opensaml/ws/soap/client/http/HttpSOAPClient.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/methods/GetMethod via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/methods/GetMethod via org/opensaml/util/resource/FileBackedHttpResource.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/methods/GetMethod via org/opensaml/util/resource/HttpResource.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/methods/HeadMethod via org/opensaml/util/resource/HttpResource.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/methods/PostMethod via org/opensaml/ws/soap/client/http/HttpSOAPClient.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/MultiThreadedHttpConnectionManager via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/params/HttpClientParams via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/params/HttpClientParams via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/params/HttpConnectionManagerParams via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/params/HttpConnectionManagerParams via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/params/HttpConnectionParams via org/apache/commons/ssl/HttpSecureProtocol.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/params/HttpConnectionParams via org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/protocol/ProtocolSocketFactory via org/opensaml/DefaultBootstrap.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/protocol/ProtocolSocketFactory via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin misaml-sp:1.0.14 using org/apache/commons/httpclient/protocol/Protocol via org/opensaml/DefaultBootstrap.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/protocol/Protocol via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/protocol/Protocol via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/protocol/SecureProtocolSocketFactory via org/apache/commons/ssl/HttpSecureProtocol.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/protocol/SecureProtocolSocketFactory via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/protocol/SecureProtocolSocketFactory via org/opensaml/ws/soap/client/http/TLSProtocolSocketFactory.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/UsernamePasswordCredentials via org/opensaml/saml2/metadata/provider/HTTPMetadataProvider.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/UsernamePasswordCredentials via org/opensaml/ws/soap/client/http/HttpClientBuilder.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/util/DateParseException via org/opensaml/util/resource/HttpResource.class
Plugin miniorange-saml-sp:1.0.14 using org/apache/commons/httpclient/util/DateUtil via org/opensaml/util/resource/HttpResource.class
[JENKINS-69989] Prepare SAML Single Sign On (SSO) for removal of Commons HttpClient 3.x
Alex DF
added a comment - Hello and Happy New Year!
Any news about this ticket. It is blocking when I try to update Jenkins to V2.379+
Alex DF
added a comment - Hello and Happy New Year!
Any news about this ticket. It is blocking when I try to update Jenkins to V2.379+ Seeing the same here with an integration with Azure AD - pretty critical.
"A problem occurred while processing the request." upon attempt of SSO login.
miniorange hey could we have an update about this - as above it is preventing updates to newer versions of Jenkins.
I have tried implementing the HTTP commons 3.x plugin with Jenkins as well as installing them with apt-get into my Jenkins image and it doesn't work, so I think this is going to have to be something changed within the plugin itself.
Basil Crow
added a comment - Wow, this plugin is extremely out-of-date and needs a lot of changes to work on recent versions of Jenkins. Took me a few hours, but I put together what I think are the correct set of changes here: https://github.com/basil/miniorange-saml-sp-plugin/commit/ac910b6b76b600e9e720cabe81004e35cc0722c9
I am not planning on opening a pull request because I do not use this plugin and have no way of testing it. The abovementioned changes need a lot of testing before they can be merged, so this work needs to be done by someone who actually maintains or uses this plugin.
Basil Crow
added a comment - Wow, this plugin is extremely out-of-date and needs a lot of changes to work on recent versions of Jenkins. Took me a few hours, but I put together what I think are the correct set of changes here: https://github.com/basil/miniorange-saml-sp-plugin/commit/ac910b6b76b600e9e720cabe81004e35cc0722c9
I am not planning on opening a pull request because I do not use this plugin and have no way of testing it. The abovementioned changes need a lot of testing before they can be merged, so this work needs to be done by someone who actually maintains or uses this plugin. Hi Basil,
Thanks for pointing out the issues and suggesting fixes.
We appreciate the feedback and your support!
We will be shipping out the fixes in the upcoming release of the Jenkins SAML SSO App( 2.1.0)
Stay tuned!
Thanks,
miniOrange Team
Hi,
The issue pointed out here is released in the Jenkins SAML SSO Release 2.0.1.
Please find details here: https://github.com/jenkinsci/miniorange-saml-sp-plugin/releases/tag/miniorange-saml-sp-2.0.1
Thanks,
Team miniOrange
The 2.379 weekly release has shipped, and in that release Commons HttpClient 3.x is removed. If this plugin relies on Commons HttpClient 3.x, it must be adapted as described above.