[JIRA] (JENKINS-12585) SECURITY: LDAP authenticated users switch accounts randomly

Thu, 03 May 2012 18:46:28 -0700 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-12585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=162403#comment-162403
 ] 

dogfood commented on JENKINS-12585:
-----------------------------------

Integrated in !http://ci.jenkins-ci.org/images/16x16/yellow.png! 
[jenkins_main_trunk #1701|http://ci.jenkins-ci.org/job/jenkins_main_trunk/1701/]
     [FIXED JENKINS-12585] restrict where sessions are created. (Revision 
7a4858d65f2431396c2f4dadbc3d654712bc02a8)

     Result = UNSTABLE
Kohsuke Kawaguchi : 
[7a4858d65f2431396c2f4dadbc3d654712bc02a8|https://github.com/jenkinsci/jenkins/commit/7a4858d65f2431396c2f4dadbc3d654712bc02a8]
Files : 
* war/src/main/webapp/WEB-INF/security/SecurityFilters.groovy
* core/src/main/resources/lib/layout/layout.jelly
* changelog.html
* core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java

                
> SECURITY: LDAP authenticated users switch accounts randomly
> -----------------------------------------------------------
>
>                 Key: JENKINS-12585
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12585
>             Project: Jenkins
>          Issue Type: Bug
>          Components: security
>    Affects Versions: current
>         Environment: Mac OSX: 10.6.8 Desktop
> Java version: 1.6.0_29
> Access Control
> * Security Realm: LDAP
> * Authorization: Project-based Matrix Authorization Strategy
> Jenkins: 1.448
> Apache
> * Server version: Apache/2.2.17 (Unix)
> * Server built:   Dec  1 2010 09:58:15
>            Reporter: guillermo c
>            Assignee: Kohsuke Kawaguchi
>            Priority: Critical
>
> Running Jenkins behind Apache: mod_proxy with HTTPS
> https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache
> So our setup is
> Open Directory group
> jenkins-admin - Jenkins Admins all 
> dev-group-a - Developers can view kick off builds 
> Project-based Matrix Authorization Strategy
> Admin all checked
> dev-group-a checked: Overall:Read  Job:Read,Build Run:Update
> dev-group-b checked: Overall:Read  Job:Read
> issue is I'm an admin and random developer will login and see that there user 
> id is mine and can admin jenkins.
> there has been reported cases that developer A will login and actually be 
> reported by jenkins as Developer B
> were they can no longer trigger CI builds
> My biggest concern is when users login and are reporting as admins and have 
> full access to jenkins.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to