[JENKINS-37934] Add support for JGit's Apache's HTTP client and preemptive authentication #216
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Situation
A few users have noticed that the Git plugin was ignoring the configured credentials (and instead tried to use the process's identity) under the following conditions:
JGit
"installation"Because JGit, by default, uses the
JDKHttpConnectionFactory
(which meansURL#openConnection()
), it turns out the JVM, on Windows, will attempt NTLM authentication using the identity of the current process and JGit'sTransportHttp
does not support NTLM as an authentication method when the attempt comes back with HTTP 401.Action
org.eclipse.jgit:org.eclipse.jsit.http.apache
as a dependency.PreemptiveAuthHttpClientConnection[Factory]
, which will attempt to authenticate with the provided credentials, bypassing JGit's authentication mechanism.Result
By using the JGit with Apache HTTP client "installation", I was able to clone from a variety of repositories, without having to launch Jenkins using a domain identity that had TFS permissions on Windows. In fact, I tried to get Windows integrated authentication working and it mostly worked, except when I hit a TFS server that had Negotiate (Kerberos) enabled; JGit's
TransportHttp
noticed that Negotiate was used and then tried to "configure the connection" the second time around, but this failed because JGit expected explicit credentials to be provided. If integrated authentication from Windows nodes is needed, there's still the original JGit "installation" that can be configured on a per-job basis.Please let me know if you would like me to add or change anything.
Manual testing
git-client.hpi
from this branch to a Jenkins server.operating_system
Slaves axis to run the same job on Linux (Ubuntu 14.6), Mac OS X (10.10.5) and Windows (2012 R2), using thejgitapache
Git executable:https://github.com/jenkinsci/tfs-plugin.git
- none -
, because the repository is publicly-availablegit@github.com:jenkinsci/tfs-plugin.git
root
user.user
DOMAIN\user
user
user@domain
user@fully.qualified.domain.example.com
NTCredentials
class. Not a big deal as three other forms of the user name were accepted.Mission accomplished!