[
https://issues.jenkins-ci.org/browse/JENKINS-12585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160864#comment-160864
]
Christian Höltje commented on JENKINS-12585:
--------------------------------------------
We had a long troubleshooting session on IRC today and here is our summary
(please correct if I make a mistake):
On my server, we use Tomcat.
It is behind an apache, running a reverse proxy with mod_cache and mod_*_cache.
Tomcat sends out JSESSIONID cookie when it thinks a session needs to be set and
the previous JSESSIONID is expired or no JSESSIONID is set.
Our thought is that some cacheable resources had also had the "Set-Cookie:
JSESSIONID" header set. So when someone else loaded that cached resource, they
had their JSESSIONID set to someone elses.
This is born out by the fact that adding "CacheIgnoreHeaders Set-Cache" to
apache seems to have fixed the problem.
> SECURITY: LDAP authenticated users switch accounts randomly
> -----------------------------------------------------------
>
> Key: JENKINS-12585
> URL: https://issues.jenkins-ci.org/browse/JENKINS-12585
> Project: Jenkins
> Issue Type: Bug
> Components: security
> Affects Versions: current
> Environment: Mac OSX: 10.6.8 Desktop
> Java version: 1.6.0_29
> Access Control
> * Security Realm: LDAP
> * Authorization: Project-based Matrix Authorization Strategy
> Jenkins: 1.448
> Apache
> * Server version: Apache/2.2.17 (Unix)
> * Server built: Dec 1 2010 09:58:15
> Reporter: guillermo c
> Assignee: Kohsuke Kawaguchi
> Priority: Critical
>
> Running Jenkins behind Apache: mod_proxy with HTTPS
> https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache
> So our setup is
> Open Directory group
> jenkins-admin - Jenkins Admins all
> dev-group-a - Developers can view kick off builds
> Project-based Matrix Authorization Strategy
> Admin all checked
> dev-group-a checked: Overall:Read Job:Read,Build Run:Update
> dev-group-b checked: Overall:Read Job:Read
> issue is I'm an admin and random developer will login and see that there user
> id is mine and can admin jenkins.
> there has been reported cases that developer A will login and actually be
> reported by jenkins as Developer B
> were they can no longer trigger CI builds
> My biggest concern is when users login and are reporting as admins and have
> full access to jenkins.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
