Several authentication related plugins do not work on Jenkins releases with the SECURITY-901 fix.
The fix requires that security realms call
SecurityListener#loggedIn after successful authentication. If a security realm does not do either, sessions will be invalidated immediately, and users logged out again.
To disable this security fix when using a security realm that does not call
SecurityListener as described above, set the Java system property
Setting this system property will undo the additional protection provided by the security fix.
The table below provides a list of plugin which were affected by the SECURITY-901 fix in Jenkins 2.150.2 and 2.160. "Status" column reflects the current state. Note that this list is not exhaustive.
If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.
|Azure AD||https://github.com/jenkinsci/azure-ad-plugin/pull/35||Fixed in 0.3.2 (2019-01-18)|
Fixed in 0.9 (2019-01-19)
|CAS||https://github.com/jenkinsci/cas-plugin/pull/2||Fixed in 1.4.3 (2019-01-21)|
|CollabNet||https://github.com/jenkinsci/collabnet-plugin/pull/27||PR proposed (untested), in review|
|Google Login||n/a||n/a||Compatible since 1.4 (2018-05-30)|
|Kerberos SSO||https://github.com/jenkinsci/kerberos-sso-plugin/pull/13||Fixed in 1.5 (2019-02-14)|
Fixed in 2.3.0 (2019-01-20)
Fixed in 2.3 (2018-01-25)
|OpenID Connect Authentication||https://github.com/jenkinsci/oic-auth-plugin/pull/56|
Fixed in 1.5 (2019-01-20)
|Windows Negotiate SSO|