Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15437

ERR_CONTENT_DECODING_FAILED on Custom Views with Project-based Matrix Authorization

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core

      I have Jenkins set up with Project-based Matrix Authorization Strategy and have several custom build views.

      If a user attempts to switch to a view that has 1 or more projects that they do not have access to, Chrome brings up an error page with Error 330 (net::ERR_CONTENT_DECODING_FAILED: Unknown Error. Firefox brings up an error page saying "Content Encoding Error".

      Expected behavior would be to show no error and only show projects that the user has access to.

          [JENKINS-15437] ERR_CONTENT_DECODING_FAILED on Custom Views with Project-based Matrix Authorization

          I cannot reproduce this. Can you give me some more exact steps. Also, are you using the view-job-filters plugin?

          Jacob Robertson added a comment - I cannot reproduce this. Can you give me some more exact steps. Also, are you using the view-job-filters plugin?

          Grant Limberg added a comment -

          My mistake. I think I miscategorized the component for this case. The issue I'm dealing with is in the normal dashboard views. I'm not using the view-job-filters plugin.

          Grant Limberg added a comment - My mistake. I think I miscategorized the component for this case. The issue I'm dealing with is in the normal dashboard views. I'm not using the view-job-filters plugin.

          Grant Limberg added a comment -

          Just to add a bit more detail to the issue I'm running up against.

          I'm using Project-based Matrix Authorization Strategy with the Unix user/group database security realm. I have 3 groups of users. The access configuration can be seen here: http://i.imgur.com/YiIMr.png

          The jenkins-user group is given access to jobs on a job-by-job basis. An example job matrix auth strategy for a project the 'jenkins-user' group has access to can be seen here: http://i.imgur.com/UW1ZK.png.

          Now, if I add a view (any view but the All view) to Jenkins that contains a single project that doesn't have the "Job Read" access level checked for a member of the jenkins-user group, the jenkins-user group member gets the error as described above. If all jobs in a view have the "Job Read" acces level checked for the jenkins-user group, then all is fine and the view loads as expected.

          Grant Limberg added a comment - Just to add a bit more detail to the issue I'm running up against. I'm using Project-based Matrix Authorization Strategy with the Unix user/group database security realm. I have 3 groups of users. The access configuration can be seen here: http://i.imgur.com/YiIMr.png The jenkins-user group is given access to jobs on a job-by-job basis. An example job matrix auth strategy for a project the 'jenkins-user' group has access to can be seen here: http://i.imgur.com/UW1ZK.png . Now, if I add a view (any view but the All view) to Jenkins that contains a single project that doesn't have the "Job Read" access level checked for a member of the jenkins-user group, the jenkins-user group member gets the error as described above. If all jobs in a view have the "Job Read" acces level checked for the jenkins-user group, then all is fine and the view loads as expected.

          Grant Limberg added a comment - - edited

          Here's the list of plugins I'm currently running as well.

          name version enabled pinned
          external-monitor-job 1.1 true true
          ldap 1.1 true false
          pam-auth 1.0 true false
          ant 1.1 true false
          javadoc 1.0 true false
          cvs 2.6 true true
          next-build-number 1.0 false false
          scp 1.8 false false
          jython 1.9 true false
          bugzilla 1.5 false false
          setenv 1.1 true false
          cmakebuilder 1.9 false false
          ftppublisher 1.2 true false
          locks-and-latches 0.6 false false
          python 1.2 true false
          chucknorris 0.4 true false
          subversion 1.43 true true
          parameterized-trigger 2.16 true false
          token-macro 1.5.1 true false
          maven-plugin 1.486 true true
          copyartifact 1.24 true false
          jira 1.35 false false
          perforce 1.3.17 true false
          analysis-core 1.48 true false
          s3 0.3.0-SNAPSHOT (private-04/19/2012 22:11-grant) true false
          email-ext 2.24.1 true false
          view-job-filters 1.22 true false
          publish-over-ssh 1.8 false false
          translation 1.9 true true
          shelve-project-plugin 1.3 false false
          virtualbox 0.6 true false
          cppcheck 1.10 true false
          warnings 4.18 true false
          jenkins-multijob-plugin 1.5 true false
          redmine 0.10 true false
          ssh-slaves 0.21 true true
          xcode-plugin 1.3.1 true false
          envinject 1.72 true false
          promoted-builds 2.7 true false
          scm-sync-configuration 0.0.6 false false
          greenballs 1.12 true false
          timestamper 1.3.2 true false
          clang-scanbuild-plugin 1.3.1 true false
          ci-game 1.19 true false

          Grant Limberg added a comment - - edited Here's the list of plugins I'm currently running as well. name version enabled pinned external-monitor-job 1.1 true true ldap 1.1 true false pam-auth 1.0 true false ant 1.1 true false javadoc 1.0 true false cvs 2.6 true true next-build-number 1.0 false false scp 1.8 false false jython 1.9 true false bugzilla 1.5 false false setenv 1.1 true false cmakebuilder 1.9 false false ftppublisher 1.2 true false locks-and-latches 0.6 false false python 1.2 true false chucknorris 0.4 true false subversion 1.43 true true parameterized-trigger 2.16 true false token-macro 1.5.1 true false maven-plugin 1.486 true true copyartifact 1.24 true false jira 1.35 false false perforce 1.3.17 true false analysis-core 1.48 true false s3 0.3.0-SNAPSHOT (private-04/19/2012 22:11-grant) true false email-ext 2.24.1 true false view-job-filters 1.22 true false publish-over-ssh 1.8 false false translation 1.9 true true shelve-project-plugin 1.3 false false virtualbox 0.6 true false cppcheck 1.10 true false warnings 4.18 true false jenkins-multijob-plugin 1.5 true false redmine 0.10 true false ssh-slaves 0.21 true true xcode-plugin 1.3.1 true false envinject 1.72 true false promoted-builds 2.7 true false scm-sync-configuration 0.0.6 false false greenballs 1.12 true false timestamper 1.3.2 true false clang-scanbuild-plugin 1.3.1 true false ci-game 1.19 true false

          joni r added a comment -

          I came across same issue while setting up Project-based Matrix Authorization Strategy -scheme. As a workaround I set job-read permission to all authenticated users at Jenkins level.

          joni r added a comment - I came across same issue while setting up Project-based Matrix Authorization Strategy -scheme. As a workaround I set job-read permission to all authenticated users at Jenkins level.

          Using wireshark, I see that the problem is because it's sending two sets of headers.

          GET /job/f/groups/newGroup HTTP/1.1
          Host: localhost:8080
          Connection: keep-alive
          Cache-Control: max-age=0
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22
          Accept-Encoding: gzip,deflate,sdch
          Accept-Language: en-US,en;q=0.8,ja;q=0.6
          Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
          Cookie: screenResolution=2560x1600; JSESSIONID.23b85107=8ea7deb23efb25dda41e3d0e12af2421; screenResolution=2560x1600; JSESSIONID.f93f7440=b6bc70d2d3f01b2ce13240ea6cd4da2f
          
          HTTP/1.1 403 Forbidden
          Server: Winstone Servlet Engine v0.9.10
          Content-Encoding: gzip
          Expires: 0
          Cache-Control: no-cache,must-revalidate
          X-Hudson-Theme: default
          Content-Type: text/html;charset=UTF-8
          X-Hudson: 1.395
          X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11)
          X-Jenkins-Session: a186bd6f
          X-Hudson-CLI-Port: 57208
          X-Jenkins-CLI-Port: 57208
          X-Jenkins-CLI2-Port: 57208
          X-SSH-Endpoint: localhost:55570
          X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB
          Content-Encoding: gzip
          Expires: 0
          Cache-Control: no-cache,must-revalidate
          X-Hudson-Theme: default
          X-Hudson: 1.395
          X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11)
          X-Jenkins-Session: a186bd6f
          X-Hudson-CLI-Port: 57208
          X-Jenkins-CLI-Port: 57208
          X-Jenkins-CLI2-Port: 57208
          X-SSH-Endpoint: localhost:55570
          X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB
          Content-Length: 2203
          Connection: Keep-Alive
          Date: Fri, 21 Jun 2013 21:12:10 GMT
          X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
          
          .... gzip encoded content follows ....
          

          The gzipped content itself appears OK, as I was able to gunzip it just fine. I think it is the fact that there are two Content-Encoding header that's breaking the browser.

          Kohsuke Kawaguchi added a comment - Using wireshark, I see that the problem is because it's sending two sets of headers. GET /job/f/groups/newGroup HTTP/1.1 Host: localhost:8080 Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,ja;q=0.6 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: screenResolution=2560x1600; JSESSIONID.23b85107=8ea7deb23efb25dda41e3d0e12af2421; screenResolution=2560x1600; JSESSIONID.f93f7440=b6bc70d2d3f01b2ce13240ea6cd4da2f HTTP/1.1 403 Forbidden Server: Winstone Servlet Engine v0.9.10 Content-Encoding: gzip Expires: 0 Cache-Control: no-cache,must-revalidate X-Hudson-Theme: default Content-Type: text/html;charset=UTF-8 X-Hudson: 1.395 X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11) X-Jenkins-Session: a186bd6f X-Hudson-CLI-Port: 57208 X-Jenkins-CLI-Port: 57208 X-Jenkins-CLI2-Port: 57208 X-SSH-Endpoint: localhost:55570 X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB Content-Encoding: gzip Expires: 0 Cache-Control: no-cache,must-revalidate X-Hudson-Theme: default X-Hudson: 1.395 X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11) X-Jenkins-Session: a186bd6f X-Hudson-CLI-Port: 57208 X-Jenkins-CLI-Port: 57208 X-Jenkins-CLI2-Port: 57208 X-SSH-Endpoint: localhost:55570 X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB Content-Length: 2203 Connection: Keep-Alive Date: Fri, 21 Jun 2013 21:12:10 GMT X-Powered-By: Servlet/2.5 (Winstone/0.9.10) .... gzip encoded content follows .... The gzipped content itself appears OK, as I was able to gunzip it just fine. I think it is the fact that there are two Content-Encoding header that's breaking the browser.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          core/pom.xml
          core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
          core/src/main/resources/lib/layout/layout.jelly
          http://jenkins-ci.org/commit/jenkins/d3575548bbd39acdbc0f73533f9078d59828b428
          Log:
          [FIXED JENKINS-15437]

          The exception handler ended up adding almost all the headers again,
          resulting in a lot of duplicate headers.

          Most critically, stapler was adding "Content-Encoding" header twice,
          breaking browsers.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/pom.xml core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java core/src/main/resources/lib/layout/layout.jelly http://jenkins-ci.org/commit/jenkins/d3575548bbd39acdbc0f73533f9078d59828b428 Log: [FIXED JENKINS-15437] The exception handler ended up adding almost all the headers again, resulting in a lot of duplicate headers. Most critically, stapler was adding "Content-Encoding" header twice, breaking browsers.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #2655
          [FIXED JENKINS-15437] (Revision d3575548bbd39acdbc0f73533f9078d59828b428)

          Result = SUCCESS
          kohsuke : d3575548bbd39acdbc0f73533f9078d59828b428
          Files :

          • changelog.html
          • core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
          • core/src/main/resources/lib/layout/layout.jelly
          • core/pom.xml

          dogfood added a comment - Integrated in jenkins_main_trunk #2655 [FIXED JENKINS-15437] (Revision d3575548bbd39acdbc0f73533f9078d59828b428) Result = SUCCESS kohsuke : d3575548bbd39acdbc0f73533f9078d59828b428 Files : changelog.html core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java core/src/main/resources/lib/layout/layout.jelly core/pom.xml

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
          core/src/main/resources/lib/layout/layout.jelly
          http://jenkins-ci.org/commit/jenkins/af59db06f0eba2674fc8338d3ba18335541eae32
          Log:
          [FIXED JENKINS-15437]

          The exception handler ended up adding almost all the headers again,
          resulting in a lot of duplicate headers.

          Most critically, stapler was adding "Content-Encoding" header twice,
          breaking browsers.

          (cherry picked from commit d3575548bbd39acdbc0f73533f9078d59828b428)

          Conflicts:
          changelog.html
          core/pom.xml

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java core/src/main/resources/lib/layout/layout.jelly http://jenkins-ci.org/commit/jenkins/af59db06f0eba2674fc8338d3ba18335541eae32 Log: [FIXED JENKINS-15437] The exception handler ended up adding almost all the headers again, resulting in a lot of duplicate headers. Most critically, stapler was adding "Content-Encoding" header twice, breaking browsers. (cherry picked from commit d3575548bbd39acdbc0f73533f9078d59828b428) Conflicts: changelog.html core/pom.xml

            kohsuke Kohsuke Kawaguchi
            glimberg Grant Limberg
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: