Several authentication related plugins do not work on Jenkins releases with the SECURITY-901 fix.
The fix requires that security realms call SecurityListener#authenticated
or SecurityListener#loggedIn
after successful authentication. If a security realm does not do either, sessions will be invalidated immediately, and users logged out again.
To disable this security fix when using a security realm that does not call SecurityListener
as described above, set the Java system property jenkins.security.seed.UserSeedProperty.disableUserSeed
to true
.
Unsafe
Setting this system property will undo the additional protection provided by the security fix.
Further references
Affected plugins
The table below provides a list of plugin which were affected by the SECURITY-901 fix in Jenkins 2.150.2 and 2.160. "Status" column reflects the current state. Note that this list is not exhaustive.
If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.
Plugin | Issue | Pull request | Status |
---|---|---|---|
Azure AD | https://github.com/jenkinsci/azure-ad-plugin/pull/35 | Fixed in 0.3.2 (2019-01-18) | |
Bitbucket OAuth | JENKINS-55668 - Unable to login with Bitbucket Oauth plugin after Jenkins update (2.150.2) Resolved https://github.com/mallowlabs/bitbucket-oauth-plugin/issues/18 | Fixed in 0.9 (2019-01-19) | |
CAS | https://github.com/jenkinsci/cas-plugin/pull/2 | Fixed in 1.4.3 (2019-01-21) | |
CollabNet | JENKINS-55892 - CollabNet-Plugin is not compatible with SECURITY-901 fix (Upgrading to 2.160) In Review | https://github.com/jenkinsci/collabnet-plugin/pull/27 | PR proposed (untested), in review |
Google Login | n/a | n/a | Compatible since 1.4 (2018-05-30) |
Kerberos SSO | JENKINS-55698 - SSO + CRSF causes 403 errors Resolved | https://github.com/jenkinsci/kerberos-sso-plugin/pull/13 | Fixed in 1.5 (2019-02-14) |
Keycloak Authentication | JENKINS-55669 - Auth plugin doesn't work after upgrade to Jenkins 2.150.2 Resolved | https://github.com/jenkinsci/keycloak-plugin/pull/5 | Fixed in 2.3.0 (2019-01-20) |
OpenID | JENKINS-55683 - Endless loop on login when using OpenID plugin after upgrading to 2.160 / 2.150.2, preventing user authentication Resolved | https://github.com/jenkinsci/openid-plugin/pull/14 | Fixed in 2.3 (2018-01-25) |
OpenID Connect Authentication | JENKINS-55654 - infinite redirect loop when auth provider is oidc (after update to 2.160) Resolved | https://github.com/jenkinsci/oic-auth-plugin/pull/56 | Fixed in 1.5 (2019-01-20) |
Windows Negotiate SSO | JENKINS-55697 - NegotiateSSO Plugin is not compatible with SECURITY-901 FIX (Upgrading to 2.160/2.150.2) Resolved | https://github.com/jenkinsci/negotiatesso-plugin/pull/2 | Fixed in 1.2 (2019-03-06) |