Wednesday, November 16, 2011

Ouch! : Chapter 2

One lesson learned is do not be in a hurry whenever dealing with bugs.

Last WE, I tried to fix 2 bugs. The first was the HttpClient lib issue. The second was the CSRF Prevention feature in Jenkins.

Dealing with IDEA version was easy. Just need to create 2 branches and 2 releases.

Dealing with Jenkins Security layer is not a simple task and the solution of CSRF was not good enough. Some use cases make the plugin fail. So the quality of the latest release is very low. I just let my keyboard away from me a couple of day and try to figure out the root cause.

Jenkins has a legacy mode that let you give credentials username/password. From the 1.426, CSRF has been introduced to prevent attack and misuses that could be critical for some organization. It generates for each user a crumb data (a kind of id user).
In that case, even if using basic credentials could have no sense and provide crumb data is secure enough for authentication, it needs to be supported.


The upcoming fix is to provide 2 kind of layers security mode : Legacy and Crumb. In the second mode layer, the user will have to authenticate himself with an Internet browser, get the crumb data by with the REST url http://jenkins-server/crumbIssuer and save the value into a local file. This way is not convenient but this could work in case of some specific rights that require authentication.

I would like to apologize myself on the low quality of work that has been produced last day. For the next releases, I will spend more time on functional tests before uploading to the Jetbrains Plugin Repository.