Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32197

More URLs that NegSecFilter should not secure

    Details

    • Similar Issues:

      Description

      In JENKINS-30116, I identified that the notifyCommit URLs should not have security applied to them. I was worried there were other URLs that shouldn't be secured either, but was unable to find a list on the Jenkins wiki.

      Today I noticed that if you click the 'Delegate to servlet container' option in the security settings, it provides a full list:

      These URLs (and URLs starting with these prefixes plus a /) should require no authentication. If possible, configure your container to pass these requests straight to Jenkins without requiring login.

      cli
      git
      jnlpJars
      subversion
      whoAmI

      Can you add this to the changes you made in JENKINS-30116?

        Attachments

          Activity

          Hide
          farmgeek4life Bryson Gibbons added a comment -

          Thank you; I have seen a few others beyond these as I have looked at other plugins that were possibly of interest in my instance; these are definitely not in the ones I found, nor had I seen them elsewhere.

          Show
          farmgeek4life Bryson Gibbons added a comment - Thank you; I have seen a few others beyond these as I have looked at other plugins that were possibly of interest in my instance; these are definitely not in the ones I found, nor had I seen them elsewhere.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: FarmGeek4Life
          Path:
          src/main/java/com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.java
          http://jenkins-ci.org/commit/negotiate-sso-plugin/36840afbb3de49155c8e1b2b92bfb2602413bf57
          Log:
          [FIXED JENKINS-32197] Add paths listed by the delegate servlet container to the "non-authenticated" paths

          Improved the checking mechanism
          Also added "bitbucket-hook"

          Compare: https://github.com/jenkinsci/negotiate-sso-plugin/compare/e2aadda93a73...36840afbb3de

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: FarmGeek4Life Path: src/main/java/com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.java http://jenkins-ci.org/commit/negotiate-sso-plugin/36840afbb3de49155c8e1b2b92bfb2602413bf57 Log: [FIXED JENKINS-32197] Add paths listed by the delegate servlet container to the "non-authenticated" paths Improved the checking mechanism Also added "bitbucket-hook" Compare: https://github.com/jenkinsci/negotiate-sso-plugin/compare/e2aadda93a73...36840afbb3de
          Hide
          farmgeek4life Bryson Gibbons added a comment - - edited

          I added the specified paths, as well as "bitbucket-hook" to the list of paths not authenticated. I also changed the mechanism that checks for these paths, since I was previously testing for

          */notifyCommit*

          which could be dangerous (a carefully named build job?).

          Show
          farmgeek4life Bryson Gibbons added a comment - - edited I added the specified paths, as well as "bitbucket-hook" to the list of paths not authenticated. I also changed the mechanism that checks for these paths, since I was previously testing for */notifyCommit* which could be dangerous (a carefully named build job?).

            People

            • Assignee:
              farmgeek4life Bryson Gibbons
              Reporter:
              pmv pmv
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: