Once this plugin is configured, I am no longer able to hit the notifyCommit URLs. Instead I get "This request requires HTTP authentication."
Based on the git plugin documentation, these URLs should not be secured:
this URL doesn't require authentication even for secured Jenkins, because the server doesn't directly use anything that the client is sending. It runs polling to verify that there is a change, before it actually starts a build.
I believe both svn and mercurial also support push notifications. I'm not aware of any other Jenkins URLs that need to be excluded from the security filter, but others may exist.