-
Bug
-
Resolution: Fixed
-
Major
-
Powered by SuggestiMate
I have Jenkins set up with Project-based Matrix Authorization Strategy and have several custom build views.
If a user attempts to switch to a view that has 1 or more projects that they do not have access to, Chrome brings up an error page with Error 330 (net::ERR_CONTENT_DECODING_FAILED: Unknown Error. Firefox brings up an error page saying "Content Encoding Error".
Expected behavior would be to show no error and only show projects that the user has access to.
[JENKINS-15437] ERR_CONTENT_DECODING_FAILED on Custom Views with Project-based Matrix Authorization
My mistake. I think I miscategorized the component for this case. The issue I'm dealing with is in the normal dashboard views. I'm not using the view-job-filters plugin.
Just to add a bit more detail to the issue I'm running up against.
I'm using Project-based Matrix Authorization Strategy with the Unix user/group database security realm. I have 3 groups of users. The access configuration can be seen here: http://i.imgur.com/YiIMr.png
The jenkins-user group is given access to jobs on a job-by-job basis. An example job matrix auth strategy for a project the 'jenkins-user' group has access to can be seen here: http://i.imgur.com/UW1ZK.png.
Now, if I add a view (any view but the All view) to Jenkins that contains a single project that doesn't have the "Job Read" access level checked for a member of the jenkins-user group, the jenkins-user group member gets the error as described above. If all jobs in a view have the "Job Read" acces level checked for the jenkins-user group, then all is fine and the view loads as expected.
Here's the list of plugins I'm currently running as well.
name | version | enabled | pinned |
---|---|---|---|
external-monitor-job | 1.1 | true | true |
ldap | 1.1 | true | false |
pam-auth | 1.0 | true | false |
ant | 1.1 | true | false |
javadoc | 1.0 | true | false |
cvs | 2.6 | true | true |
next-build-number | 1.0 | false | false |
scp | 1.8 | false | false |
jython | 1.9 | true | false |
bugzilla | 1.5 | false | false |
setenv | 1.1 | true | false |
cmakebuilder | 1.9 | false | false |
ftppublisher | 1.2 | true | false |
locks-and-latches | 0.6 | false | false |
python | 1.2 | true | false |
chucknorris | 0.4 | true | false |
subversion | 1.43 | true | true |
parameterized-trigger | 2.16 | true | false |
token-macro | 1.5.1 | true | false |
maven-plugin | 1.486 | true | true |
copyartifact | 1.24 | true | false |
jira | 1.35 | false | false |
perforce | 1.3.17 | true | false |
analysis-core | 1.48 | true | false |
s3 | 0.3.0-SNAPSHOT (private-04/19/2012 22:11-grant) | true | false |
email-ext | 2.24.1 | true | false |
view-job-filters | 1.22 | true | false |
publish-over-ssh | 1.8 | false | false |
translation | 1.9 | true | true |
shelve-project-plugin | 1.3 | false | false |
virtualbox | 0.6 | true | false |
cppcheck | 1.10 | true | false |
warnings | 4.18 | true | false |
jenkins-multijob-plugin | 1.5 | true | false |
redmine | 0.10 | true | false |
ssh-slaves | 0.21 | true | true |
xcode-plugin | 1.3.1 | true | false |
envinject | 1.72 | true | false |
promoted-builds | 2.7 | true | false |
scm-sync-configuration | 0.0.6 | false | false |
greenballs | 1.12 | true | false |
timestamper | 1.3.2 | true | false |
clang-scanbuild-plugin | 1.3.1 | true | false |
ci-game | 1.19 | true | false |
I came across same issue while setting up Project-based Matrix Authorization Strategy -scheme. As a workaround I set job-read permission to all authenticated users at Jenkins level.
Using wireshark, I see that the problem is because it's sending two sets of headers.
GET /job/f/groups/newGroup HTTP/1.1 Host: localhost:8080 Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,ja;q=0.6 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: screenResolution=2560x1600; JSESSIONID.23b85107=8ea7deb23efb25dda41e3d0e12af2421; screenResolution=2560x1600; JSESSIONID.f93f7440=b6bc70d2d3f01b2ce13240ea6cd4da2f HTTP/1.1 403 Forbidden Server: Winstone Servlet Engine v0.9.10 Content-Encoding: gzip Expires: 0 Cache-Control: no-cache,must-revalidate X-Hudson-Theme: default Content-Type: text/html;charset=UTF-8 X-Hudson: 1.395 X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11) X-Jenkins-Session: a186bd6f X-Hudson-CLI-Port: 57208 X-Jenkins-CLI-Port: 57208 X-Jenkins-CLI2-Port: 57208 X-SSH-Endpoint: localhost:55570 X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB Content-Encoding: gzip Expires: 0 Cache-Control: no-cache,must-revalidate X-Hudson-Theme: default X-Hudson: 1.395 X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11) X-Jenkins-Session: a186bd6f X-Hudson-CLI-Port: 57208 X-Jenkins-CLI-Port: 57208 X-Jenkins-CLI2-Port: 57208 X-SSH-Endpoint: localhost:55570 X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB Content-Length: 2203 Connection: Keep-Alive Date: Fri, 21 Jun 2013 21:12:10 GMT X-Powered-By: Servlet/2.5 (Winstone/0.9.10) .... gzip encoded content follows ....
The gzipped content itself appears OK, as I was able to gunzip it just fine. I think it is the fact that there are two Content-Encoding header that's breaking the browser.
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
changelog.html
core/pom.xml
core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
core/src/main/resources/lib/layout/layout.jelly
http://jenkins-ci.org/commit/jenkins/d3575548bbd39acdbc0f73533f9078d59828b428
Log:
[FIXED JENKINS-15437]
The exception handler ended up adding almost all the headers again,
resulting in a lot of duplicate headers.
Most critically, stapler was adding "Content-Encoding" header twice,
breaking browsers.
Integrated in jenkins_main_trunk #2655
[FIXED JENKINS-15437] (Revision d3575548bbd39acdbc0f73533f9078d59828b428)
Result = SUCCESS
kohsuke : d3575548bbd39acdbc0f73533f9078d59828b428
Files :
- changelog.html
- core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
- core/src/main/resources/lib/layout/layout.jelly
- core/pom.xml
Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
core/src/main/resources/lib/layout/layout.jelly
http://jenkins-ci.org/commit/jenkins/af59db06f0eba2674fc8338d3ba18335541eae32
Log:
[FIXED JENKINS-15437]
The exception handler ended up adding almost all the headers again,
resulting in a lot of duplicate headers.
Most critically, stapler was adding "Content-Encoding" header twice,
breaking browsers.
(cherry picked from commit d3575548bbd39acdbc0f73533f9078d59828b428)
Conflicts:
changelog.html
core/pom.xml
I cannot reproduce this. Can you give me some more exact steps. Also, are you using the view-job-filters plugin?