[JIRA] [active-directory] (JENKINS-18884) Seperate Permission for People View to close Security Hole with AD Plugin

[dan...@beckweb.net (JIRA)]

Daniel Beck commented on JENKINS-18884 Seperate Permission for People View to close Security Hole with AD Plugin Possible workaround: Hide Jenkins behind a reverse proxy (e.g. Apache). Configure it to listen only on the 127.0.0.1 interface (--httpListenAddress=127.0.0.1). Forbid access to people/asynchPeople URLs. Those links will then result in 403 Forbidden. Sample Apache httpd.conf excerpt, assuming reverse proxy and Jenkins are running on the same host, Jenkins on port 8080, Apache on port 80: <VirtualHost *:80> RewriteEngine On ServerName jenkins.example.org # change to actual server name RewriteRule /asynchPeople/ - [F] RewriteRule /people/ - [F] ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ ProxyRequests Off </VirtualHost> Of course, this simple pattern will prohibit access to e.g. the job named 'people' as well. Haven't tested this with all possible Jenkins URLs, making sure it works for those is left as an exercise to the reader This should keep at least most of the users out, even if it's likely not a 100% solution.

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.