Child pages
  • Plugins affected by the SECURITY-901 fix

Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

Several authentication related plugins do not work on Jenkins releases with the SECURITY-901 fix.

The fix requires that security realms call SecurityListener#authenticated or SecurityListener#loggedIn after successful authentication. If a security realm does not do either, sessions will be invalidated immediately, and users logged out again.

To disable this security fix when using a security realm that does not call SecurityListener as described above, set the Java system property to true.


Setting this system property will undo the additional protection provided by the security fix.

Further references

Affected plugins

The table below provides a list of plugin which were affected by the SECURITY-901 fix in Jenkins 2.150.2 and 2.160. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.

  • No labels