[JENKINS-11944] Matrix security prevents API access

Type: Bug
Resolution: Not A Defect
Priority: Major
Component/s: _unsorted
Labels:
- 403
Environment:
Jenkins 1.441, Ubuntu 10.10, default package installation. (Also have the same issue on a CentOS server running 1.430.) I don't know if the OS makes a difference though.

Similar Issues:
Powered by SuggestiMate

Show

When I try to get /api/xml from my python script (or via Firefox by typing http://username:password@localhost:8080/api/xml), I get a 403 when I have matrix security enabled, even when the user I'm trying to authenticate has full access to the system. I've tried authenticating with both the regular password and the api token with no success. I've confirmed the python is "pre-emptively" sending the username and password.

Python code (project name is "Hello"):

import urllib2

xml_url = "http://localhost:8080/api/xml?xpath=/hudson/job[name='Hello']/color"

password_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
password_mgr.add_password(None, "http://localhost:8080", "user", "96f9...apitoken....23");

handler = urllib2.HTTPBasicAuthHandler(password_mgr)

opener = urllib2.build_opener(handler)

try:
response = opener.open(xml_url)
xml = response.read()

if xml.find("blue"):
print "working"
else:
print "broken"
except urllib2.HTTPError:
print "kaboom"

Orion Ifland added a comment - 2011-12-01 17:03

It looks like this isn't a Jenkins bug - it's just a side effect of Jenkins not sending a 401 (i.e. requiring pre-emptive authentication). It seems to affect both Firefox and the HTTP Authentication handler I was using. Sending a header explicitly fixes the issue.

Working code:
import base64
import urllib2

xml_url = "http://localhost:8080/api/xml?xpath=%2Fhudson%2Fjob%5Bname%3D'Hello'%5D%2Fcolor"
username = "user"
password = "96f9486...9352cee4"
auth_header = 'Basic ' + base64.encodestring('%s:%s' % (username, password))[:-1]

#opener = urllib2.build_opener(handler)
req = urllib2.Request(xml_url)
req.add_header('Authorization', auth_header)

try:
response = urllib2.urlopen(req)
xml = response.read()

if xml.find("blue") > -1:
print "working"
else:
print "broken"
except urllib2.HTTPError:
print "kaboom"

Orion Ifland added a comment - 2011-12-01 17:03 It looks like this isn't a Jenkins bug - it's just a side effect of Jenkins not sending a 401 (i.e. requiring pre-emptive authentication). It seems to affect both Firefox and the HTTP Authentication handler I was using. Sending a header explicitly fixes the issue. Working code: import base64 import urllib2 xml_url = "http://localhost:8080/api/xml?xpath=%2Fhudson%2Fjob%5Bname%3D'Hello'%5D%2Fcolor" username = "user" password = "96f9486...9352cee4" auth_header = 'Basic ' + base64.encodestring('%s:%s' % (username, password)) [:-1] #opener = urllib2.build_opener(handler) req = urllib2.Request(xml_url) req.add_header('Authorization', auth_header) try: response = urllib2.urlopen(req) xml = response.read() if xml.find("blue") > -1: print "working" else: print "broken" except urllib2.HTTPError: print "kaboom"

Orion Ifland added a comment - 2011-12-01 17:04

Closed because the issue was with the testing code and not Jenkins

Orion Ifland added a comment - 2011-12-01 17:04 Closed because the issue was with the testing code and not Jenkins

Assignee:: Orion Ifland

Reporter:: Orion Ifland

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 2011-11-30 23:14

Updated:: 2017-04-15 23:15

Resolved:: 2011-12-01 17:04

Details

Description

Attachments

Activity

Collapse comment: Orion Ifland added a comment - 2011-12-01 17:03

Expand comment: Orion Ifland added a comment - 2011-12-01 17:03

Collapse comment: Orion Ifland added a comment - 2011-12-01 17:04

Expand comment: Orion Ifland added a comment - 2011-12-01 17:04

People

Dates