[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Oleg Nenashev resolved as Fixed Released in jenkins-2.37 Jenkins / JENKINS-32797 Access to check for unprotected/never secured paths Change By: Oleg Nenashev Status: Open Resolved Resolution: Fixed Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title SCM/JIRA link daemon commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths Code changed in jenkins User: Bryson Gibbons Path: core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/0060335b8cf6d36641bd610817bae98873c32746 Log: JENKINS-32797 Break the catch clause contents of Jenkins.getTarget(… (#2652) JENKINS-32797 Break the catch clause contents of Jenkins.getTarget() out into a separate, publicly accessible function. This will allow plugins (particularly authentication plugins that override the normal authentication process) to determine if authentication is not required for a particular path by calling isPathUnprotected(restOfPath). Add @since TODO to comment Change name of function to something that is accurate and clear isPathUnprotected is misleading, and the Javadoc was worse. isSubjectToMandatoryReadPermissionCheck is a much better name, and the return value is reversed to match the name, Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Bryson Gibbons commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths Pull Request: https://github.com/jenkinsci/jenkins/pull/2652 Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Bryson Gibbons commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths Will do as one function; after looking at my duplicated code, I was unable to use "Stapler.getCurrentRequest().getRestOfPath()" because at the point I am checking permission requirements the request is still in the filters, and stapler doesn't know about it yet. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title
Oliver Gondža edited a comment on JENKINS-32797
Re: Access to check for unprotected/never secured paths
It makes sense to provide a way for plugins to tell of path should not be protected or not. Commenting on the state of the path as attached (please move this to PR), please consolidate it to one method that accept {{restOfPath}} as an argument and performs all of the checks. Provided you do not need the two for some reason.
Add Comment
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Oliver Gondža commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths It makes sense to provide a way for plugins to tell of path should be protected or not. Commenting on the state of the path as attached (please move this to PR), please consolidate it to one method that accept restOfPath as an argument and performs all of the checks. Provided you do not need the two for some reason. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Bryson Gibbons edited a comment on JENKINS-32797 Re: Access to check for unprotected/never secured paths Actually, this is an issue for any plugin that attempts to use Kerberos for signing in through servlet filters; right now, that I know of, this includes Kerberos-sso plugin and negotiatesso plugin. Currently I have duplicated parts of the code in core that are inaccessible to provide the needed functionality (see https://github.com/jenkinsci/negotiatesso-plugin/blob/master/src/main/java/com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.java), and now a pull request with Kerberos-sso plugin is looking to also skip authentication for unprotected root actions (https://github.com/jenkinsci/kerberos-sso-plugin/pull/9)Without adding some small lever level of access to these functions, any plugin that performs authentication through a servlet filter will have to duplicate code from core, or authenticate access to some paths that actually should be accessible without authentication. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Bryson Gibbons commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths Actually, this is an issue for any plugin that attempts to use Kerberos for signing in through servlet filters; right now, that I know of, this includes Kerberos-sso plugin and negotiatesso plugin. Currently I have duplicated parts of the code in core that are inaccessible to provide the needed functionality (see https://github.com/jenkinsci/negotiatesso-plugin/blob/master/src/main/java/com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.java), and now a pull request with Kerberos-sso plugin is looking to also skip authentication for unprotected root actions (https://github.com/jenkinsci/kerberos-sso-plugin/pull/9) Without adding some small lever of access to these functions, any plugin that performs authentication through a servlet filter will have to duplicate code from core, or authenticate access to some paths that actually should be accessible without authentication. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Oliver Gondža commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths Is this about kerberos-sso plugin only? In case it is, please file an issue for whitelist JNLP connection endpoint. I would be more comfortable addressing it in that plugin rather than in core (as it is the plugin what have unusual security handling). Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Bryson Gibbons commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths Okay, I have to process these exception paths before I allow the authorization portion of the filter to run. The authorization portion of the filter (which is outside of my control) automatically creates and sends a "401 Unauthorized" page, and flushes the response buffer, removing any possibility of my code recovering from failed authorization (and then letting Jenkins take care of it via the normal process). I may ask about making that portion of the code in the dependency configurable/optional... Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Bryson Gibbons commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths Actually (because I didn't do a full look over my workaround code) I am using getUnprotectedRootActions(), but I still need to keep a separate list of AlwaysReadablePaths, and a regex for slave agents. All told I am duplicating about 50 lines of code from Jenkins.java (as an almost exact duplicate) to do the same operation that is contained in the catch clause of Jenkins.getTarget(). In my case I have to check those exceptions before I try authenticating, because I cannot (unfortunately) control filter chaining after I attempt authentication - that process happens in a filter in external code, that I call using super.doFilter(). I may have misspoke about this being a problem with kerberos-sso-plugin, only because do not have a way to test it myself; if kerberos-sso-plugin does not have this issue, it is because it is able to execute the filter chain regardless of whether authentication was successful or not. I can try to attempt something similar, but I don't know if I will be successful in doing so. Going to test that before pursuing this further... Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Daniel Beck commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths I currently have no way to test against that dynamic list with the currently available functions in Jenkins.java, and have not seen any other function that could supply that functionality to my plugin. What's wrong with Jenkins.getInstance().getUnprotectedRootActions(), then getUrlName on each? Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32797) Access to check for unprotected/never secured paths
Title: Message Title Bryson Gibbons commented on JENKINS-32797 Re: Access to check for unprotected/never secured paths Rationale, since I finally got back to looking at it - both kerberos-sso-plugin and negotiatesso-plugin automatically filter all requests; exceptions must be made for pages where authentication is not required (and often not possible via Negotiate); this issue came to my attention when I got complaints that the push notifications didn't work after installing the NegotiateSSO plugin. Exceptions must be added to the filters (as has been done on line 93 in NegSecFilter.java, in negotiatesso-plugin; and on line 130 in KerberosSSOFilter.java, in kerberos-sso-plugin) to allow things such as scm push notifications, and other access that is not supposed to be authenticated. Right now I have a whitelist of urls that shouldn't be authenticated, which is checked with every request, as well as code duplicated from Jenkins.java to use these exceptions. The part I don't like is that the list of urls that should be excluded is actually dynamic, based on the configuration and plugins installed on the system; I currently have no way to test against that dynamic list with the currently available functions in Jenkins.java, and have not seen any other function that could supply that functionality to my plugin. This leaves me with a list of exceptions that I need to maintain, which I don't like. Making this change would let me (and others) directly query against that dynamic list, reducing maintenance burden. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to
