Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Blocker
-
Resolution: Won't Fix
-
Component/s: reverse-proxy-auth-plugin
-
Labels:None
-
Environment:Jenkins V1.546
Ubuntu 12.04 LTS
-
Similar Issues:
Description
Our configuration is that users access Jenkins through an Apache2 reverse proxy that provides integrated browser authentication using Kerberos. Our Jenkins server is configured to use the reverse-proxy-auth to read the X-Forwarded-User HTTP header and set that as the Jenkins user identity.
This has ran for over a year without any issues.
Recently I updated to V1.546 of Jenkins. Any attempt to access Jenkins now results in a Null Pointer Exception on a page access, rendering this version of Jenkins totally unusable. I've attached the stack trace as a text file to preserve formatting.
Having a brief look at the code, this is occurring on line 366 of the latest reverse-proxy-auth plugin (V1.3). This is simply calling the HTTPServletRequest.getHeader method to retrieve any user name passed in the HTTP request. This is coded to the API docs which state that if such a header does not exist then NULL will be returned.
In V1.546, the implementation of this getHeader method has now started failing. I suspect this is a bug with the bundled version of the Jetty code rather than being a Jenkins code issue. I'll have a look at the code when I get a chance to trace this back but wanted to raise this in case anyone else experiences a similar issue and hopefully link it to any Jetty related bugs that might be raised.
Attachments
Activity
Same here.
1.0.1 is working fine, but 1.2 to 1.3.1 produce the following NPE:
Jan 10, 2014 10:56:38 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING:
java.lang.NullPointerException
at org.eclipse.jetty.util.StringUtil.getBytes(StringUtil.java:378)
at org.eclipse.jetty.io.ByteArrayBuffer.<init>(ByteArrayBuffer.java:81)
at org.eclipse.jetty.io.ByteArrayBuffer$CaseInsensitive.<init>(ByteArrayBuffer.java:424)
at org.eclipse.jetty.io.BufferCache$CachedBuffer.<init>(BufferCache.java:134)
at org.eclipse.jetty.io.BufferCache.lookup(BufferCache.java:101)
at org.eclipse.jetty.http.HttpFields.getField(HttpFields.java:402)
at org.eclipse.jetty.http.HttpFields.getStringField(HttpFields.java:431)
at org.eclipse.jetty.server.Request.getHeader(Request.java:605)
at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:324)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Environment here is: Ubuntu 13.10 (x86_64), Jenkins 1.546 and 1.547
Benjamin Urban
added a comment - - edited Same here.
1.0.1 is working fine, but 1.2 to 1.3.1 produce the following NPE:
Jan 10, 2014 10:56:38 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING:
java.lang.NullPointerException
at org.eclipse.jetty.util.StringUtil.getBytes(StringUtil.java:378)
at org.eclipse.jetty.io.ByteArrayBuffer.<init>(ByteArrayBuffer.java:81)
at org.eclipse.jetty.io.ByteArrayBuffer$CaseInsensitive.<init>(ByteArrayBuffer.java:424)
at org.eclipse.jetty.io.BufferCache$CachedBuffer.<init>(BufferCache.java:134)
at org.eclipse.jetty.io.BufferCache.lookup(BufferCache.java:101)
at org.eclipse.jetty.http.HttpFields.getField(HttpFields.java:402)
at org.eclipse.jetty.http.HttpFields.getStringField(HttpFields.java:431)
at org.eclipse.jetty.server.Request.getHeader(Request.java:605)
at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:324)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Environment here is: Ubuntu 13.10 (x86_64), Jenkins 1.546 and 1.547 I have the same as Benjamin, that may to not be the same NPE than Martin and than Ireneusz (lots of NPE out there).
After reverse proxy auth plugin upgrade (from 1.0.1 to 1.3.1) and restart, Jenkins always gives:
java.lang.NullPointerException at org.eclipse.jetty.util.StringUtil.getBytes(StringUtil.java:383) at org.eclipse.jetty.io.ByteArrayBuffer.<init>(ByteArrayBuffer.java:81) at org.eclipse.jetty.io.ByteArrayBuffer$CaseInsensitive.<init>(ByteArrayBuffer.java:424) at org.eclipse.jetty.io.BufferCache$CachedBuffer.<init>(BufferCache.java:134) at org.eclipse.jetty.io.BufferCache.lookup(BufferCache.java:101) at org.eclipse.jetty.http.HttpFields.getField(HttpFields.java:402) at org.eclipse.jetty.http.HttpFields.getStringField(HttpFields.java:431) at org.eclipse.jetty.server.Request.getHeader(Request.java:605) at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:366) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724)
Debian wheezy
Jenkins 1.545
Revert to 1.0.1 solves the problem.
BTW, I don't know how to find the Groovy line where the error is, using the line number printed in the stacktrace.
Sylvain Veyrié
added a comment - I have the same as Benjamin, that may to not be the same NPE than Martin and than Ireneusz (lots of NPE out there).
After reverse proxy auth plugin upgrade (from 1.0.1 to 1.3.1) and restart, Jenkins always gives:
java.lang.NullPointerException
at org.eclipse.jetty.util.StringUtil.getBytes(StringUtil.java:383)
at org.eclipse.jetty.io.ByteArrayBuffer.<init>(ByteArrayBuffer.java:81)
at org.eclipse.jetty.io.ByteArrayBuffer$CaseInsensitive.<init>(ByteArrayBuffer.java:424)
at org.eclipse.jetty.io.BufferCache$CachedBuffer.<init>(BufferCache.java:134)
at org.eclipse.jetty.io.BufferCache.lookup(BufferCache.java:101)
at org.eclipse.jetty.http.HttpFields.getField(HttpFields.java:402)
at org.eclipse.jetty.http.HttpFields.getStringField(HttpFields.java:431)
at org.eclipse.jetty.server.Request.getHeader(Request.java:605)
at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:366)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Debian wheezy
Jenkins 1.545
Revert to 1.0.1 solves the problem.
BTW, I don't know how to find the Groovy line where the error is, using the line number printed in the stacktrace. I have the same... My is braking on isEmpty method on group checking...
Still failing with Jenkins 1.558 and reverse-proxy-auth 1.3.3.
Sylvain Veyrié
added a comment - Still failing with Jenkins 1.558 and reverse-proxy-auth 1.3.3. This seems to be caused by older, incompatible Reverse Proxy Plugin config.xml data being bound into newer classes. Disabling security (https://wiki.jenkins-ci.org/display/JENKINS/Disable+security) and reconfiguring the Reverse Proxy Plugin Authentication (under Manage Jenkins > Configure Global Security) seems to fix the issue.
Chris Frohoff
added a comment - This seems to be caused by older, incompatible Reverse Proxy Plugin config.xml data being bound into newer classes. Disabling security ( https://wiki.jenkins-ci.org/display/JENKINS/Disable+security ) and reconfiguring the Reverse Proxy Plugin Authentication (under Manage Jenkins > Configure Global Security) seems to fix the issue. That's true.
Instead of restart configuration from scratch, the proper workaround is to edit the config.xml file, et replace:
<securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.0.1"> <header>X-Forwarded-User</header> </securityRealm>
by:
<securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.3.3"> <proxyTemplate/> <authContext/> <inhibitInferRootDN>false</inhibitInferRootDN> <userSearchBase></userSearchBase> <userSearch>uid={0}</userSearch> <authorities/> <forwardedUser>X-Forwarded-User</forwardedUser> <headerGroups>X-Forwarded-Groups</headerGroups> <headerGroupsDelimiter>|</headerGroupsDelimiter> </securityRealm>
Still, this is a bug: the plugin should not do a NPE if it does not find either of proxyTemplate, authContext, inhibitInferRootDN, userSearchBase, userSearch, forwardedUser, headerGroups and headerGroupsDelimiter. Migrate from the previous configuration format should be the best thing to do.
Sylvain Veyrié
added a comment - That's true.
Instead of restart configuration from scratch, the proper workaround is to edit the config.xml file, et replace:
<securityRealm class= "org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin= "reverse-proxy-auth-plugin@1.0.1" >
<header> X-Forwarded-User </header>
</securityRealm>
by:
<securityRealm class= "org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin= "reverse-proxy-auth-plugin@1.3.3" >
<proxyTemplate/>
<authContext/>
<inhibitInferRootDN> false </inhibitInferRootDN>
<userSearchBase> </userSearchBase>
<userSearch> uid={0} </userSearch>
<authorities/>
<forwardedUser> X-Forwarded-User </forwardedUser>
<headerGroups> X-Forwarded-Groups </headerGroups>
<headerGroupsDelimiter> | </headerGroupsDelimiter>
</securityRealm>
Still, this is a bug: the plugin should not do a NPE if it does not find either of proxyTemplate, authContext, inhibitInferRootDN, userSearchBase, userSearch, forwardedUser, headerGroups and headerGroupsDelimiter. Migrate from the previous configuration format should be the best thing to do. Due to the breaking changes introduced between 1.0.x and 1.3.x, such an update could be problematic, if you have some trouble you can follow the workaround proposed here. Otherwise open a new issue.
I have the same here after upgrading of reverse-proxy-auth from 1.0.1 to 1.3. My Jenkins version is 1.532.1 (LTS)
Here is stacktrace:
java.lang.NullPointerException
at winstone.WinstoneRequest.extractFirstHeader(WinstoneRequest.java:210)
at winstone.WinstoneRequest.getHeader(WinstoneRequest.java:1199)
at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:324)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:331)
at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:227)
at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)