Upgrading to Jenkins 2.160 breaks CAS logins

[danschmidt5189]

Upgrading to Jenkins 2.160 (from 2.159) causes CAS logins to fail with an infinite loop, as Jenkins does not respect the result of the authorization flow. To reproduce:

• Start with a working Jenkins 2.159 and CAS Plugin
• Upgrade to Jenkins 2.160
• Try logging back in and observe that you're thrown into an infinite loop

Note:

• I'm running Jenkins behind nginx.
• This update procedure has never previously failed.
• Jenkins 2.160 introduces an obvious related change.
• The problem persists even after clearing cookies.
• Downgrading from 2.160 to 2.159 fixes the problem.

[kgeis]

I am having the same issue.

differences:

• Apache as reverse proxy
• running 2.150.2 LTS (just upgraded this morning); 2.160 security fix was backported to 2.150
• downgrading to 2.150.1 fixes the problem

[ToeBee]

Same problem after after upgrading from 2.150.1 to 2.150.2 last night.
The exchange goes like this:

• GET / -> 403 Forbidden
• GET /securityRealm/commenceLogin -> 302 to CAS server
• CAS login successful, 302 back to Jenkins
• GET /securityRealm/finishLogin?ticket=xxxxxx -> 302 back to /
• GET / -> 403 Forbidden
• Repeat

I don't see anything happening in the Jenkins log file while this is going on.

[fcrespel]

Thanks for the notice. This issue is related to the SECURITY-901 fix in Jenkins. I'll try to implement the necessary adjustments in CAS plugin ASAP, until then you can either downgrade Jenkins or apply the workaround described in the Upgrade Guide.

[ToeBee]

Ah, the upgrade guide did not mention this when I looked yesterday. Unfortunately the workaround of setting that Java property does not seem to fix it for me. But we can stay at .1 for now.

[ToeBee]

Turns out, there was a typo in the property name on the release notes. Someone updated the wiki page and release notes and things are working for me on .2 now. Just need to remember to unset the property after the CAS plugin is updated :)

[fcrespel]

The fix for this issue is available in jenkinsci#2, but before I release it could you please try the test build available on the CI server? (get cas-plugin.hpi, rename it to cas-plugin.jpi, put it in your Jenkins plugins folder and restart).

[tanrobotix]

@fcrespel I've tested. It's run OK. Thank you so much for you fixing.

Please release it in Jenkins Plugin market. Thank you

[Wadeck]

get cas-plugin.hpi, rename it to cas-plugin.jpi, put it in your Jenkins plugins folder and restart

Not even required to rename, the hpi files are also correctly handled :)

[fcrespel]

Thanks for the feedback, CAS plugin version 1.4.3 is now released. It may take a few hours to appear in the Update Center, until then you can grab it from the Maven repository.