JENKINS-30116, I identified that the notifyCommit URLs should not have security applied to them. I was worried there were other URLs that shouldn't be secured either, but was unable to find a list on the Jenkins wiki.
Today I noticed that if you click the 'Delegate to servlet container' option in the security settings, it provides a full list:
These URLs (and URLs starting with these prefixes plus a /) should require no authentication. If possible, configure your container to pass these requests straight to Jenkins without requiring login.
Can you add this to the changes you made in