Bad functionality with proxy, initialize ProxyAuthenticationMethods

[rubroboletus]

Version report

Jenkins and plugins versions report:

Jenkins: 2.303.1
OS: Linux - 5.4.129-63.229.amzn2.x86_64
---
ace-editor:1.1
active-directory:2.25
analysis-model-api:10.5.2
anchore-container-scanner:1.0.23
ansicolor:1.0.0
ant:1.12
antisamy-markup-formatter:2.3
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.13.2
authentication-tokens:1.4
authorize-project:1.4.0
aws-credentials:1.32
aws-java-sdk:1.12.89-292.v2712528e879c
aws-java-sdk-cloudformation:1.12.89-292.v2712528e879c
aws-java-sdk-codebuild:1.12.89-292.v2712528e879c
aws-java-sdk-ec2:1.12.89-292.v2712528e879c
aws-java-sdk-ecr:1.12.89-292.v2712528e879c
aws-java-sdk-ecs:1.12.89-292.v2712528e879c
aws-java-sdk-elasticbeanstalk:1.12.89-292.v2712528e879c
aws-java-sdk-iam:1.12.89-292.v2712528e879c
aws-java-sdk-logs:1.12.89-292.v2712528e879c
aws-java-sdk-minimal:1.12.89-292.v2712528e879c
aws-java-sdk-ssm:1.12.89-292.v2712528e879c
blueocean:1.25.0
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.25.0
blueocean-commons:1.25.0
blueocean-config:1.25.0
blueocean-core-js:1.25.0
blueocean-dashboard:1.25.0
blueocean-display-url:2.4.1
blueocean-events:1.25.0
blueocean-git-pipeline:1.25.0
blueocean-github-pipeline:1.25.0
blueocean-i18n:1.25.0
blueocean-jira:1.25.0
blueocean-jwt:1.25.0
blueocean-personalization:1.25.0
blueocean-pipeline-api-impl:1.25.0
blueocean-pipeline-editor:1.25.0
blueocean-pipeline-scm-api:1.25.0
blueocean-rest:1.25.0
blueocean-rest-impl:1.25.0
blueocean-web:1.25.0
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.7.0
build-name-setter:2.2.0
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-bitbucket-branch-source:2.9.11
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.16
command-launcher:1.6
config-file-provider:3.8.1
configuration-as-code:1.54
credentials:2.6.1
credentials-binding:1.27
data-tables-api:1.11.3-1
display-url-api:2.3.5
docker-commons:1.17
docker-java-api:3.1.5.2
docker-swarm:1.11
docker-workflow:1.26
durable-task:1.39
ec2-fleet:2.3.6
echarts-api:5.2.1-2
email-ext:2.84
emailext-template:1.2
extended-choice-parameter:0.82
extended-read-permission:3.2
extensible-choice-parameter:1.8.0
favorite:2.3.3
folder-properties:1.2.1
font-awesome-api:5.15.4-1
forensics-api:1.5.0
git:4.9.0
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
gitlab-plugin:1.5.22
gradle:1.37.1
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.26
http_request:1.11
ivy:2.1
jackson2-api:2.13.0-226.v0c5dd2d2fd2a
jacoco:3.3.0
javadoc:1.6
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.25.0
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
job-restrictions:0.8
jobConfigHistory:2.28.1
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.4
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
lockable-resources:2.11
mailer:1.34
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.14
metrics:4.0.2.8
momentjs:1.1.1
okhttp-api:3.14.9
ownership:0.13.0
parameter-separator:1.3
pipeline-aws:1.43
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.7
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
prometheus:2.0.10
publish-over:0.22
publish-over-cifs:0.16
publish-over-ssh:1.22
pubsub-light:1.16
rebuild:1.32
repository-connector:2.2.0
schedule-build:0.5.1
scm-api:2.6.5
script-security:1.78
simple-theme-plugin:0.7
snakeyaml-api:1.29.1
sonar:2.13.1
sse-gateway:1.24
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:1.23
throttle-concurrents:2.4
timestamper:1.13
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
uno-choice:2.5.6
variant:1.4
warnings-ng:9.5.1
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8

• What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

• Install fresh Jenkins
• Install proxy with NTLM/KERBEROS/BASIC auth methods
• Create AWS IAM role, IAM user and setup AssumeRole in this plugin
• Set proxy in Jenkins
• Set proxy account locking rules to small number
• Try to use AWS credentials, see Jenkins log. Lot of messages regarding NTLM/Kerberos realm/domain missing will be logged, proxy account will become locked out

Results

Expected result:

For 99% of proxies, BASIC auth method is enough. Set ProxyAuthenticationMethods in AWS JAVA SDK accordingly / add configuration option to plugin. When uninitialized, it uses the following list - SPNEGO, KERBEROS, NTLM, DIGEST, BASIC. At least for Kerberos and NTLM there are missing fields in proxy setting, leading to errors in jenkins log and possible proxy account lockout, when hard account locking rules are set.

Actual result:

Actually we have problems when using this plugin with our proxy, leading to account lockouts.