Hi Jenkins Devs, After the last jenkins pre-auth RCE issue, i've been exploring adding an auth layer in front of jenkins. Naturally apache mod_proxy and some basic auth should be a simple solution. https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security
However this interferes with: /jenkins-master/core/src/main/java/hudson/security/ BasicAuthenticationFilter.java /jenkins-master/war/src/main/webapp/WEB-INF/security/SecurityFilters.groovy So the solution is to remove this filter, fix this design or squash the basic auth headers after apache has processed them, but before proxying to jenkins: http://stackoverflow.com/questions/4428903/remove-basic-authentication-header-with-apache-mod-proxy Since other users should be considering the same, could we: 1. Get something better documented then https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security, that shows how todo basic auth and still enable jenkin's auth. 2. Get the expert devs to consider a change that won't require messing with auth headers or even a mod_proxy instance? 3. Restructure jenkins auth so the option exists to block 99.8% of jenkin's attack surface using built-in jenkins auth. Currently you can enable auth and enable all the security you want, but jenkins still exposes to much functionality/attack surface. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/25b0c1e2-b3f6-45ee-9efb-1eeae4fd3d06%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
