Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

CRX login credentials are managed using functionality provided by the Credentials Plugin. Users are encouraged to provide a description for each set of credentials and to organize their credentials using Domains, which are regularly filtered by this plugin's components according to Base URL parameters. These practices reduce confusion while increasing reusability and security.

Wiki Markup(Since 1.3) If login credentials for a server are different than those configured in the Connection Options section, you may override them in the Base URL by inserting {{username\[:password\]@}} between the scheme and the hostname.

For example, to override the Username without changing the associated password or private key, you may use the following form:

...

However, because it will be common to accept a password as a job parameter or a global parameter, and many password schemes require the use of at least one special character, not to mention those which allow any character under the sun, the user info part is first sanitized in the follow way before being parsed as a URI:

  • Wiki MarkupPercent characters ({{%}}) which are unambiguously NOT used to denote escaped ASCII characters (using the regular expression, {{%(?!\[A-Fa-f0-9\]\{2\})}}) are replaced with {{%25}}.
  • Wiki MarkupReserved URL characters in the set {{" !#$\'()*+,/:;=?@\[\]"}} are replaced by a {{%}} and followed by the correct hexadecimal ASCII code.

This sanitization procedure will result in correct percent-encoding of most reserved characters, and it will not over-escape input which has already been properly percent-encoded. There are a few exceptions, however:

  1. The username MUST NOT contain an unescaped colon (:).
  2. The username and the password MUST NOT contain an unescaped forward-slash (/).
  3. Wiki MarkupNeither the username nor the password should contain an unescaped sequence of the percent character ({{%}}) followed by two characters in the space of hexadecimal digits ({{\[A-Fa-f0-9\]\{2\}}}), because this sequence will be interpreted as an escaped ASCII character and left unchanged prior to parsing by {{java.net.URI}}.

Once parsed, the user info part will be stripped from the base URL before it is used by this plugin's components, to prevent credentials from being leaked in the console log. However, care should always be taken when passing credentials through Jenkins parameters in case they are exposed in other areas of the application. In addition, the Base URL field is persisted as plaintext on disk, so any unencrypted passwords stored in that field are visible to anyone who has access to the Jenkins filesystem. Use the Password Parameter type and the Mask Passwords Plugin whenever possible to properly secure your parameterized CRX application credentials.

...