Jenkins : Plugins affected by the SECURITY-901 fix

Several authentication related plugins do not work on Jenkins releases with the SECURITY-901 fix.

The fix requires that security realms call SecurityListener#authenticated or SecurityListener#loggedIn after successful authentication. If a security realm does not do either, sessions will be invalidated immediately, and users logged out again.

To disable this security fix when using a security realm that does not call SecurityListener as described above, set the Java system property to true.


Setting this system property will undo the additional protection provided by the security fix.

Further references

Affected plugins

The table below provides a list of plugin which were affected by the SECURITY-901 fix in Jenkins 2.150.2 and 2.160. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.

PluginIssuePull requestStatus
Azure AD in 0.3.2 (2019-01-18)
Bitbucket OAuth

JENKINS-55668 - Unable to login with Bitbucket Oauth plugin after Jenkins update (2.150.2) Resolved

Fixed in 0.9 (2019-01-19)

CAS in 1.4.3 (2019-01-21)

JENKINS-55892 - CollabNet-Plugin is not compatible with SECURITY-901 fix (Upgrading to 2.160) In Review proposed (untested), in review
Google Loginn/an/aCompatible since 1.4 (2018-05-30)
Kerberos SSO

JENKINS-55698 - SSO + CRSF causes 403 errors Resolved in 1.5 (2019-02-14)
Keycloak Authentication

JENKINS-55669 - Auth plugin doesn't work after upgrade to Jenkins 2.150.2 Resolved

Fixed in 2.3.0 (2019-01-20)


JENKINS-55683 - Endless loop on login when using OpenID plugin after upgrading to 2.160 / 2.150.2, preventing user authentication Resolved

Fixed in 2.3 (2018-01-25)

OpenID Connect Authentication

JENKINS-55654 - infinite redirect loop when auth provider is oidc (after update to 2.160) Resolved

Fixed in 1.5 (2019-01-20)

Windows Negotiate SSO

JENKINS-55697 - NegotiateSSO Plugin is not compatible with SECURITY-901 FIX (Upgrading to 2.160/2.150.2) Resolved in 1.2 (2019-03-06)