[SECURITY-1289]

core/src/main/java/hudson/cli/ClientAuthenticationCache.java

@@ -104,7 +104,8 @@ public FilePath call() throws IOException {
         String verificationPart = val.substring(idx + 1);
         int indexOfSeparator = verificationPart.indexOf(VERIFICATION_FRAGMENT_SEPARATOR);
         if (indexOfSeparator == -1) {
-            return legacy(username, verificationPart, val);
+            LOGGER.log(Level.FINE, "The legacy method is no longer accepted: username={0}", username);
+            return Jenkins.ANONYMOUS;
         }
 
         /*
@@ -137,10 +138,6 @@ public FilePath call() throws IOException {
 
         return getUserAuthIfValidMac(username, macFragment, val);
     }
-
-    private Authentication legacy(String username, String mac, String fullValueStored){
-        return getUserAuthIfValidMac(username, mac, fullValueStored);
-    }
 
     /**
      * restOfFragments format: [userSeed]

test/src/test/java/hudson/cli/ClientAuthenticationCacheTest.java

@@ -26,6 +26,7 @@
 
 import com.google.common.collect.Lists;
 import hudson.Launcher;
+import hudson.model.User;
 import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
 import hudson.util.Secret;
 import hudson.util.StreamTaskListener;
@@ -67,6 +68,9 @@ public void login() throws Exception {
         r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
         r.jenkins.setAuthorizationStrategy(new FullControlOnceLoggedInAuthorizationStrategy());
         assertCLI(0, "Authenticated as: anonymous", jar, "who-am-i");
+
+        // user must exist to use the new cli auth cache (which is the case in non-test context)
+        User.getById("dev", true);
         assertCLI(0, null, jar, "login", "--username", "dev", "--password", "dev");
         try {
             assertCLI(0, "Authenticated as: dev", jar, "who-am-i");

test/src/test/java/hudson/cli/ClientAuthenticationCacheWithUserSeedTest.java

@@ -70,8 +70,8 @@ public class ClientAuthenticationCacheWithUserSeedTest {
     public LoggerRule logging = new LoggerRule().record(ClientAuthenticationCache.class, Level.FINER);
 
     @Test
-    @Issue("SECURITY-1247")
-    public void legacyCache_smoothlyMigratedWithUserSeed() throws Exception {
+    @Issue("SECURITY-1289")
+    public void legacyCache_noLongerUsable() throws Exception {
         ClientAuthenticationCache cache = new ClientAuthenticationCache(null);
         assertThat(cache.get(), is(Jenkins.ANONYMOUS));
 
@@ -95,7 +95,8 @@ public void legacyCache_smoothlyMigratedWithUserSeed() throws Exception {
             File jar = tmp.newFile("jenkins-cli.jar");
             FileUtils.copyURLToFile(r.jenkins.getJnlpJars("jenkins-cli.jar").getURL(), jar);
 
-            assertCLI(0, "Authenticated as: " + user.getId(), jar, "who-am-i");
+            // the legacy method is no longer usable
+            assertCLI(0, "Authenticated as: anonymous", jar, "who-am-i");
 
             cache = new ClientAuthenticationCache(null);
             String valueAfterUsage = cache.props.getProperty(cache.getPropertyKey());

test/src/test/java/hudson/security/CliAuthenticationTest.java

@@ -112,6 +112,8 @@ protected int run() throws Exception {
     public void login() throws Exception {
         j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
 
+        // user must exist to use the new cli auth cache (which is the case in non-test context)
+        hudson.model.User.getById("abc", true);
         successfulCommand("login","--username","abc","--password","abc");
         spySecurityListener.authenticatedCalls.assertLastEventIsAndThenRemoveIt(userDetails -> userDetails.getUsername().equals("abc"));
         spySecurityListener.loggedInCalls.assertLastEventIsAndThenRemoveIt("abc");