Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25144

Basic Authentication in combination with Session is broken

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      BasicAuthentication in combination with a sessionId is broken - after the first login following page refreshs fail with bad credentials.

      Here my analysis (I commented this on the corresponding commit on github as well):
      The BasicHeaderProcessor expects a not null Authentication Object

      From BasicHeaderProcessor:

      Authentication auth = a.authenticate(req, rsp, username, password);
      if (auth!=null) {
      LOGGER.log(FINE, "Request authenticated as

      {0}

      by

      {1}

      ", new Object[]

      {auth,a}

      );
      success(req, rsp, chain, auth);
      return;
      }
      From BasicHeaderRealPasswordAuthenticator:

      if (!authenticationIsRequired(username))
      return null;
      It seems that you need to return the existing authentication Object from BasicHeaderRealPasswordAuthenticator and not null if the current authentication is already valid...?

      Anyway since we are running jenkins through a proxy with basicAuth the current version is completely broken for us...

      Corresponding Github commit: https://github.com/jenkinsci/jenkins/commit/b2a98f6bc6924d1fd25f7da583888c2f4f36d83c

        Attachments

          Issue Links

            Activity

            cschoell Christof Schoell created issue -
            cschoell Christof Schoell made changes -
            Field Original Value New Value
            Priority Critical [ 2 ] Blocker [ 1 ]
            oleg_nenashev Oleg Nenashev made changes -
            Labels Authentication BasicAuth Authentication BasicAuth security
            Assignee Christof Schoell [ cschoell ]
            Component/s core [ 15593 ]
            Component/s security [ 15508 ]
            oleg_nenashev Oleg Nenashev made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            cschoell Christof Schoell made changes -
            Remote Link This issue links to "PR-1427 (Web Link)" [ 11805 ]
            cschoell Christof Schoell made changes -
            Status In Progress [ 3 ] Open [ 1 ]
            jglick Jesse Glick made changes -
            Labels Authentication BasicAuth security Authentication BasicAuth regression security
            jglick Jesse Glick made changes -
            Labels Authentication BasicAuth regression security Authentication BasicAuth lts-candidate regression security
            uncletall uncletall made changes -
            Link This issue is related to JENKINS-25180 [ JENKINS-25180 ]
            andreasmandel Andreas Mandel made changes -
            Assignee Christof Schoell [ cschoell ] andreasmandel [ andreasmandel ]
            andreasmandel Andreas Mandel made changes -
            Assignee andreasmandel [ andreasmandel ]
            cschoell Christof Schoell made changes -
            Assignee Kohsuke Kawaguchi [ kohsuke ]
            cschoell Christof Schoell made changes -
            Assignee Kohsuke Kawaguchi [ kohsuke ]
            cschoell Christof Schoell made changes -
            Assignee Oleg Nenashev [ oleg_nenashev ]
            scm_issue_link SCM/JIRA link daemon made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            olivergondza Oliver Gond┼ża made changes -
            Labels Authentication BasicAuth lts-candidate regression security 1.580.3-fixed Authentication BasicAuth regression security
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 159052 ] JNJira + In-Review [ 195978 ]

              People

              • Assignee:
                oleg_nenashev Oleg Nenashev
                Reporter:
                cschoell Christof Schoell
              • Votes:
                8 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: