At the moment the github plugin has it's github-webhook marked as being an UnprotectedRootAction which should mean that requests can be made to http://jenkins/github-webhook/ and even if security is enabled in jenkins they should make it through.

To see this bug in action:

• Install jenkins
• Install the github plugin.
• Enable security, switch to matrix security, add a group called "authenticated" and grant them administer permission, remove all permissions from anonymous.
• Attempt to access http://jenkins/github-webhook/ in a browser that isn't logged into jenkins and you get prompted to login.

Jenkins has special support for some URL paths in jenkins.model.Jenkins.getTarget() (eg http://jenkins/whoAmI), and it also contains support for UnprotectedRootAction.

The problem is that the TokenList class which parses the URL and then rebuilds it when Stapler.getCurrentRequest().getRestOfPath() is called drops all trailing slashes from the returned path. So even if the request path ended /github-webhook/ the value returned from getRestOfPath() is always /github-webhook

This then fails to match the test which requires the trailing slash.