• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • _unsorted
    • None
    • Platform: All, OS: Linux

      I am using the container managed security option with Hudson, and if a user does
      not have the role of 'admin', they get a 403 error when logging in. My
      tomcat-user.xml file is as follows:

      <?xml version='1.0' encoding='utf-8'?>
      <tomcat-users>
      <role rolename="build"/>
      <role rolename="admin"/>
      <user username="User2" password="xxxx" roles="build"/>
      <user username="User1" password="yyyy" roles="admin"/>
      </tomcat-users>

      Additionally, I added these two roles as groups in the Hudson configuration
      screen, with different permissions for each group; the names of the groups in
      Hudson match the names of the roles in the tomcat-users.xml file.

      User1 can log in without any trouble, but when User2 logs in, they get a 403
      error. If they type in the main home page URL manually, they can get to the
      screens they are allowed to see, and permissions seem to be working correctly.

      My hudson config.xml file is as follows (note that I have obfuscated my secret
      key to be extra careful):

      <?xml version='1.0' encoding='UTF-8'?>
      <hudson>
      <numExecutors>1</numExecutors>
      <useSecurity>true</useSecurity>
      <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
      <permission>hudson.model.Item.Build:build</permission>
      <permission>hudson.model.Item.Build:admin</permission>
      <permission>hudson.model.View.Create:admin</permission>
      <permission>hudson.model.View.Configure:admin</permission>
      <permission>hudson.model.Hudson.Read:build</permission>
      <permission>hudson.model.Hudson.Read:admin</permission>
      <permission>hudson.model.Item.Configure:admin</permission>
      <permission>hudson.model.View.Delete:admin</permission>
      <permission>hudson.model.Item.Create:admin</permission>
      <permission>hudson.model.Item.Delete:admin</permission>
      <permission>hudson.model.Run.Update:build</permission>
      <permission>hudson.model.Run.Update:admin</permission>
      <permission>hudson.model.Run.Delete:build</permission>
      <permission>hudson.model.Run.Delete:admin</permission>
      <permission>hudson.model.Hudson.Administer:admin</permission>
      </authorizationStrategy>
      <securityRealm class="hudson.security.LegacySecurityRealm"/>
      <jdks>
      <jdk>
      <name>JDK 1.5</name>
      <javaHome>/usr/java/jdk1.5.0_11/</javaHome>
      </jdk>
      </jdks>
      <slaves/>
      <quietPeriod>5</quietPeriod>
      <views/>
      <slaveAgentPort>0</slaveAgentPort>
      <secretKey>blahblahblah</secretKey>
      </hudson>

          [JENKINS-1235] 403 Error for legitimate users on Tomcat

          I believe this is already fixed in 1.166. See the changelog and
          http://www.nabble.com/Matrix-authorization-problem-tt14602081.html

          If you still see this problem, please reopen the issue.

          Kohsuke Kawaguchi added a comment - I believe this is already fixed in 1.166. See the changelog and http://www.nabble.com/Matrix-authorization-problem-tt14602081.html If you still see this problem, please reopen the issue.

          deryl added a comment -

          I am using 1.175 and it's still an issue – it's been an issue ever since I
          started trying to use the new security features. Per several comments in the
          thread, the only role that works for logging in is 'admin'.

          deryl added a comment - I am using 1.175 and it's still an issue – it's been an issue ever since I started trying to use the new security features. Per several comments in the thread, the only role that works for logging in is 'admin'.

          lkishalmi added a comment -

          Well that happens as the first loging request happens in the container which
          respects the web.xml security entry which require all hudson users to be in
          "admin" role.

          It would be much nicer if the web.xml of hudson would request for an "user",
          "users" or "hudson" role. So the container authenticator realm shall be prepared
          for it.

          lkishalmi added a comment - Well that happens as the first loging request happens in the container which respects the web.xml security entry which require all hudson users to be in "admin" role. It would be much nicer if the web.xml of hudson would request for an "user", "users" or "hudson" role. So the container authenticator realm shall be prepared for it.

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/war/resources/WEB-INF/web.xml
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=19561
          Log:
          [FIXED JENKINS-1235] Addd in 1.316.
          While this is not a general fix, it should improve the pain.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/war/resources/WEB-INF/web.xml trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=19561 Log: [FIXED JENKINS-1235] Addd in 1.316. While this is not a general fix, it should improve the pain.

            Unassigned Unassigned
            deryl deryl
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: