This bug has been resolved in Subversion Plugin 2.3. You just need to reconfigure your jobs. You have to add all SVN Credentials as "Additional Credentials" in the job config with correct realm notation "<proto://server:port> SvnRealmName". Please read the comments below.

Daniel: I am still experiencing authentication failures even with the additional credentials set.
My setup has Jenkins 1.552 and Subversion Plugin 2.2 (All Windows7 master/slaves).
There are several jobs checking out repositories with SVN externals set. All fail randomly.
One of the simpler jobs checks out a working directory from a repository with the following structure:

RepoA
├── ProjectA
│      └── trunk
│            ├── FolderA
│            └── FolderB
└── ProjectB
       └── trunk
              ├── FolderA
              └── FolderB <--- SVN External (^/ProjectA/trunk/FolderB)

ProjectB/trunk is set to be checked out, and the authentication fails on the SVN external.
I have added "Additional Credentials" with the realm set for RepoA, but still get "No credential to try. Authentication failed" as in the following stack trace:

hudson.util.IOException2: revision check failed on http://xxxxx/svn/ProjectA/trunk/FolderB
	at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:189)
	at hudson.scm.SubversionChangeLogBuilder.run(SubversionChangeLogBuilder.java:132)
	at hudson.scm.SubversionSCM.calcChangeLog(SubversionSCM.java:738)
	at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:899)
	at hudson.model.AbstractProject.checkout(AbstractProject.java:1411)
	at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:652)
	at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:88)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:561)
	at hudson.model.Run.execute(Run.java:1665)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
	at hudson.model.ResourceController.execute(ResourceController.java:88)
	at hudson.model.Executor.run(Executor.java:246)
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: OPTIONS /svn/xxxxx/svn/ProjectA/trunk/FolderB failed
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:384)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:373)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:361)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:707)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:627)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:102)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1020)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getLatestRevision(DAVRepository.java:180)
	at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.getRevisionNumber(SvnNgRepositoryAccess.java:118)
	at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.getLocations(SvnRepositoryAccess.java:148)
	at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepositoryFor(SvnNgRepositoryAccess.java:45)
	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:160)
	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:35)
	at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:20)
	at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1238)
	at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
	at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:967)
	at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:872)
	at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:177)
	... 11 more
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: No credential to try. Authentication failed
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:37)
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:32)
	at org.tmatesoft.svn.core.internal.wc.DefaultSVNAuthenticationManager.getFirstAuthentication(DefaultSVNAuthenticationManager.java:185)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:694)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:382)
	... 29 more

@chikigai:
the mistake I at first made was to enter the complete url to the external subproject as realm.
you have to enter it like in the screenshot I attached:

make sure to include the pointy brackets and to enter the title the server responses when you access it through the web interface (as Daniel said in comment-196363)
Our server provides this dialog
so "VisualSVN Server" is what I entered after the host-url (which is the one under the white rectangle).

This works for us and as we have a repository structure very similar to yours hopefully also works for you.

Does anybody know how to find out what realm to enter if you're using the "svn://" protocol, not http?

Alternative ways to find out your auth realm:

Command line SVN:

svn --no-auth-cache --config-dir invalid info proto://host:port/path/to/repo will show the auth realm, possibly after asking you to accept the certificate temporarily.

$ svn --no-auth-cache --config-dir invalid info proto://host:port/path/to/repo
Authentication realm: <proto://host:port> VisualSVN Server
Password for 'danielbeck': 

(invalid is the name of the directory – --config-dir – to get SVN client config from; in this case, should be non-existing dir, resulting in ignoring existing preferences like saved credentials). The dir will likely be created, just delete it afterwards.

Check the server config

If you use svnserve to serve the repo, check the realm directive in the [general] section of /path/to/repo/conf/svnserve.conf.

Patch the Subversion plugin

Unfortunately, logging is lacking in the current version of the plugin. This patch adds logging of URL and realm to auth attempts (logger hudson.scm.CredentialsSVNAuthenticationProviderImpl, level FINE):
https://github.com/daniel-beck/subversion-plugin/commit/e210707cef0dd419af4c0e4f409f0a16ef942156

Ask your SVN admin

Seriously. They'll know. (If you're the admin, well, maybe you shouldn't be.)

@soukupmi
Thank you for the detailed description.
However, I have already entered the realm as you have explained.
As I have stated in my previous comments, the failures are very random.
The authentication succeeds on some occasions, and fails on others.
I've even had the authentication succeed on the external without any additional credentials on some occasions.
Therefore, I am quite doubtful that the failures I am facing have anything to do with additional credentials.

Chikigai: It's likely a specific set of circumstances you didn't determine yet.

• Does it affect only certain projects?
• Does it affect only builds executing on certain slaves?
• Does it affect only certain actions (checkout, SVN post-commit hook, polling, ...)
• Does it affect only builds using a clean (or pre-existing) workspace?
• Does it affect only projects without existing builds?
• ...

if there's any variation in stack traces with the exception, posting those would be useful as well.

For example, I didn't even notice this problem (affected were polling and post-commit hook; resolved by adding extra credentials and patching the plugin, respectively) at first, as manually started builds successfully checked out everything, including the external. It's just that no build was able to detect changes in the external location (+ tons of exceptions logged like this one).

@danielbeck
OK, here's some more info which hopefully would be of some use.
Let me explain with some additions to the repository structure I used previously:

RepoA
├── ProjectA
│      └── trunk
│            ├── FolderA
│            └── FolderB
│                    └── external.c
└── ProjectB
       └── trunk
              ├── FolderA
              │     └── internal.c
              └── FolderB <--- SVN External (^/ProjectA/trunk/FolderB)

I have two jobs where:
[Job A]
Checks out ProjectA/trunk and then triggers Job B. (I created this job since changes in "external.c" would not be picked and trigger Job B)

[Job B]
Checks out ProjectB/trunk and runs a build.
Contains an additional credential as discussed in earlier comments.

And now a list of build triggers I tried with results:
[Job A + Manual trigger]
Job A succeeds, Job B is triggered and succeeds.

[Job B + Manual trigger]
Job B succeeds.

[Change/Commit "internal.c" + post-commit hook trigger]
Job B succeeds.

[Change/Commit "external.c" + post-commit hook trigger]
Job A succeeds, Job B is triggered and fails with authentication failure on the SVN external.
This failure occurs every single time via a post-commit hook trigger when "external.c" is commited.
Stack trace is exactly the same as posted in comment-196434.

I've same problem after update to 1.554

And I have workaround for this bug.
I changed svn update option to
"Emulate clean checkout by first deleting unversioned/ignored files, then 'svn update'"

@Alexander: I tried that ("Emulate clean checkout by first deleting unversioned/ignored files, then 'svn update'") today after updating to 1.554 - did not work.
same response as usual:

Started on 13.03.2014 08:41:58
Received SCM poll call ...
ERROR: Failed to check repository revision for https://[server]:8443/svn/IAB2.5/trunk/Library
org.tmatesoft.svn.core.SVNCancelException: svn: E200015: OPTIONS /svn/IAB2.5/trunk/Library failed
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:384)
	...
	at java.lang.Thread.run(Unknown Source)
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: No credential to try. Authentication failed
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:37)

with the additional realm:

Started on 13.03.2014 09:26:04
Received SCM poll call on  for GATS on 13.03.2014 09:26:04
https://[server]:8443/svn/IAB2.5/branches/...GATS is at revision 6.235
https://[server]:8443/svn/IAB2.5/trunk/Library is at revision 7.106
https://[server]:8443/svn/IAB2.5/Projekte/...GATS is at revision 6.935
Done. Took 0,49 sec
No changes

@chikigai: you said

I have two jobs where:
[Job A]
Checks out ProjectA/trunk and then triggers Job B. (I created this job since changes in "external.c" would not be picked and trigger Job B)

[Job B]
Checks out ProjectB/trunk and runs a build.
Contains an additional credential as discussed in earlier comments.

did you also try with entering the additional credentials for Job A, too?

@soukupmi
Yes, I tried with additional credentials for Job A and Job B still fails.
If it worked however, I would be wondering how the credentials for one job would affect another.

@~chikigai: Is the behavior independent of whether a workspace already exists, and independent of whether earlier builds exist? Please create new projects just with the SCM config if necessary. I'll try to take a look at this tomorrow or on the weekend if I know how to reliably reproduce the problem.

@danielbeck
I created a repository exactly as posted in comment-196534.
Also created fresh jobs for Job A & B which only perform a checkout. (Additional credentials added too)
Here's what happened:

[Change/Commit "external.c" + post-commit hook trigger]
First time: Job A succeeds, Job B is triggered and succeeds.
Second time and onwards: Job A succeeds, Job B is triggered and fails.

I then deleted the workspace for Job B and tried again.
Job B fails.

I then deleted previous build related data and the workspace for job B and tried again.
No problems first time and Job B fails from second time onwards.

I then deleted previous build related data for job B and tried again. (left the workspace untouched)
No problems first time and Job B fails from second time onwards.

So with the fresh jobs and repository I used, it looks like previous build data of Job B is the failing factor.

Our repository structure in the SVN looks like this:

IAB2.5
  +-- trunk
  |     +-- Library
  |           +-- FolderA
  |           |     +-- externalA.c
  |           +-- FolderB
  |           |     +-- externalB.c
  |           +-- externalC.c
  |
  +-- branches
  |     +-- ProjectA
  |     |     +-- FolderA
  |     |     |     +-- external1.c
  |    	|     +-- FolderB
  |    	|     |     +-- external2.c
  |    ...    +-- external3.c
  |
  +-- Projects
        +-- ProjectB       <--- Jenkins Job A - watched for svn changes
        |     +-- FolderA  <--- SVN External (^/trunk/Library)
        |     +-- FolderB  <--- SVN External (^/branches/ProjectA)
        |     +-- FolderC
        |           +-- internal.c
        |
        +-- ProjectB1      <--- Jenkins Job B - triggered by Job A
        |     +-- FolderA  <--- SVN External (^/trunk/Library)
        |     +-- FolderB  <--- SVN External (^/branches/ProjectA1)
        |     +-- FolderC
       ...          +-- internal.c

Job A in Jenkins triggers on all SVN changes in the root Project, e.g.

• externalA.c
• externalB.c
• external2.c
• external3.c
• internal.c

--> they all trigger the checkout and rebuild of our ProjectB.
So a change in your external.c should be able to trigger your Job B too, as there is a new revision number created for it on the commit.

Also our ProjectB1 gets built by Job B which is started by Job A after it has finished.
They all work well now (all Jobs with additional credentials set, though).

Anyway, instead of post-commit hook trigger or any other hook we use svn polling (check repository every 1/4 hour). Could this be the reason why our setup works?

Chikigai: I may have fixed your issue. Completely untested (don't have a suitable test environment right now):
Commit: https://github.com/daniel-beck/subversion-plugin/commit/bb33856de17663faf1a26eebe86ba00076053394
Branch: https://github.com/daniel-beck/subversion-plugin/tree/notify-commit-external-credentials

How to checkout and build:

git clone https://github.com/daniel-beck/subversion-plugin.git . ; git checkout notify-commit-external-credentials ; mvn -DskipTests=true

@danielbeck
Forgive me for my lack of knowledge (this is the first time I'm building a Jenkins Plugin), but I'm unable to test your fix.
Here's what I tried:

1. Clone subversion-plugin
2. Checkout notify-commit-external-credentials
3. Build using maven
4. Installed subversion.hpi created in the target directory

The plugin is based on version 1.45 (shown in the installed plugins page) and does not recognize the credential related job settings.
I will have to add the credential again using the older method, but surely this is not what's expected.
I'm assuming I got something wrong here, so can you possibly point me in the right direction?

@soukupmi

So a change in your external.c should be able to trigger your Job B too, as there is a new revision number created for it on the commit.

Yes, that's what I expect too.
However, I have had some cases where the build would not start.
(Bare in mind the repository structure and externals set are far more complex than the example I've used)
I'm planning to look into this again once this issue with credentials is sorted out.

Chikigai: Subversion plugin 1.45 is bundled with Jenkins from 1.514-1.553, so it looks like you're back to the version bundled with your Jenkins.

If you installed the plugin by first removing everything in the $JENKINS_HOME/plugins folder whose name starts with subversion, start over, but this time create (or keep) the empty file named subversion.jpi.pinned – it prevents override from bundled plugins. The safest way to install/update is by using the file upload in Manage Jenkins » Manage Plugins » Advanced (if you're on 1.512 or later).

If my assumption is wrong, explain in detail how you installed the plugin.

@danielbeck
Thank you very much for the pointer.
I was manually removing the plugin from the plugins folder including the pin.
This time, I left the pin following your instructions and the plugin installed fine.
(Can't use the plugin upload feature since I always get a "Failed to dynamically deploy this plugin" error)

Unfortunately, I got the exact same authentication failure from the second time onwards:
1. Deleted previous build related data for job B. (left the workspace untouched)
2. Change/Commit "external.c" + post-commit hook trigger
3. Jobs A & B both succeed
4. Change/Commit "external.c" + post-commit hook trigger
5. Job B fails (stack trace is the same as before)

However, while trying out some other things, I noticed something with the settings of Job B.
I had the hostname of the server set in the repository URL for the checkout, and the ip address set in the realm of the additional credentionals.
I set the hostname in the realm and Job B no longer failed.
Then I set the ip address for both the repository URL and realm. Job B did not fail.
So it looks like you have to specify the same host format (name or ip address) for both the repository URL and realm of additional credentials.
This does not really make sense to me, since the credential I selected is associated with a domain containing both hostname and ip address.
Bare in mind, deleting the previous build data results in a job success even if the host format is different.

One final note, I tried the above with both the patched version and unmodified version 2.2.
Job B succeeds as long as the host format for the repository URL and realm are the same.

@Daniel Beck

i just tried to build and install your changes, but they did not change anything for us.

We still get the following error:
hudson.util.IOException2: revision check failed on http://10.28.201.18/svn/xxx/Website/Config/trunk
at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:226)
at hudson.scm.SubversionChangeLogBuilder.run(SubversionChangeLogBuilder.java:169)
at hudson.scm.SubversionSCM.calcChangeLog(SubversionSCM.java:739)
at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:900)
at hudson.model.AbstractProject.checkout(AbstractProject.java:1414)
at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:671)
at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:88)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:580)
at hudson.model.Run.execute(Run.java:1676)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:231)
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: OPTIONS /svn/xxx/Website/Config/trunk failed
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:384)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:373)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:361)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:707)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:627)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:102)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1020)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getLatestRevision(DAVRepository.java:180)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.getRevisionNumber(SvnNgRepositoryAccess.java:118)
at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.getLocations(SvnRepositoryAccess.java:148)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepositoryFor(SvnNgRepositoryAccess.java:45)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:160)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:35)
at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:20)
at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1238)
at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:967)
at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:872)
at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:214)
... 11 more
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: No credential to try. Authentication failed
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:37)
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:32)
at org.tmatesoft.svn.core.internal.wc.DefaultSVNAuthenticationManager.getFirstAuthentication(DefaultSVNAuthenticationManager.java:185)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:694)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:382)
... 29 more

Our repository A is on our svn server.
On the build it checks out all externals (from different repositories, all with the same credentials on the same svn server)
It fails to fetch the changelog for an external which is in the same repository A as the main project.

The issue ONLY happens if there was a change in repository B.

I tried it without additional credentials. i tried it with additional credentials and the realm set with the ip (http://ip/)
i tried it with additional credentials and the realm set to the svn subpath (http://ip/svn/)

Chikigai:

So it looks like you have to specify the same host format (name or ip address) for both the repository URL and realm of additional credentials.

Yes. The realm appears to be created from the host/port the client connects to, not from something the server reports. Which makes sense considering reverse proxies etc.

This does not really make sense to me, since the credential I selected is associated with a domain containing both hostname and ip address.

The realm string you specify is used as the key in a map, and the realm string SVNKit builds is used for the lookup of the credential to use in said map. (At least that's how it works for my first patch which I still believe to use correct)

Bare in mind, deleting the previous build data results in a job success even if the host format is different.

I found out after I asked for it that this is quite obvious in the code.

One final note, I tried the above with both the patched version and unmodified version 2.2.

Thanks for letting me know, now I can revert the change.

It really appears to me that any failures with this particular exception are user error (wrong realm names).

Mike Penz:

i tried it with additional credentials and the realm set with the ip (http://ip/)
i tried it with additional credentials and the realm set to the svn subpath (http://ip/svn/)

If you mean that you specified "http://ip/" and "http://ip/svn/" as realm strings: I'm pretty sure these are never valid realm strings and none of the methods I described above to find out the realm string returned these. It appears that you're simply guessing.

If you know how to read some Java: This is how they're created in the client library; and what you enter must be the exact same string:

https://github.com/jenkinsci/svnkit/blob/1.7.6-jenkins-2/svnkit/src/main/java/org/tmatesoft/svn/core/internal/io/svn/sasl/SVNSaslAuthenticator.java#L336
https://github.com/jenkinsci/svnkit/blob/1.7.6-jenkins-2/svnkit/src/main/java/org/tmatesoft/svn/core/internal/io/svn/SVNPlainAuthenticator.java#L60
https://github.com/jenkinsci/svnkit/blob/1.7.6-jenkins-2/svnkit/src/main/java/org/tmatesoft/svn/core/internal/io/svn/SVNSSHConnector.java#L76

Another way to find out the realm string if you use SVN from the command line (if you're on Linux or OS X; something similar should works on Windows as well):

find ~/.subversion/auth/svn.simple/ -type f -exec cat {} + | grep -A 2 realmstring

This will print all realm strings for which password credentials are saved by your SVN client.

Under Windows you can use findstr

findstr "<" %appdata%\Subversion\auth\svn.simple\*

unfortunately findstr is way not as flexible as grep, so you cannot print the lines following realmstring but only the line that contains it. This is why I chose to look for the "<" instead.

I was able to work around the issue by adding "additional credentials" with realm "<https://server:443> VisualSVN Server" and the same credentials that is used for the module itself.

We are facing the same issue as soon as there is an update in the svn:external linked folder.
At that moment we don't face the issue in the checkout or update, but we face this issue in the log determination.

When there is no change in the svn:external linked folder, then there is no issue.

Although I thought I had everything fixed, it looks like I'm still facing issues with commit notifications.
I no longer get authentication errors with the actual checkout, but the commit notifications via hook scripts are randomly failing.
The log shows "Failed to handle Subversion commit notification" followed by the same authentication error details as posted before.
I've run out of ideas of where to look for possible causes.

I can confirm that commit notifications via hook scripts are randomly failing for svn:externals as reported by chikigai. Without svn:externals everything seems to work as expected. In my case svn:externals point to other repositories on the same server and and the access rights do not differ from the main repository. So using the same credentials for svn:externals should work.

FYI my earlier fix has become PR 70 and was merged today, so using a snapshot build should resolve commit hook and subversion tagging plugin related issues.

I am randomly getting exceptions for svn projects that include external references:

Re-running the job usually fixes the error.

I have specified the 'Additional credential' as is required. The failures occur on both Linux and Windows slaves.

I think the error cases I am experiencing are similar to some of those discussed in this thread. Please will someone summarise the issue status and tell me if there is any fix I can apply?

Facing the same issue, and installed the latest github version with #70 pull request merged (https://github.com/jenkinsci/subversion-plugin/commit/ed6e43e04ddd15ce302b23740625ca4e69d1fead) which allows to log credentials used. The credentials are OK, so this bug might be linked to a svnkit one :
http://issues.tmatesoft.com/issue/SVNKIT-345

Update : installing current svnkit (https://github.com/jenkinsci/svnkit/releases/tag/1.7.10) cli tools, and making a "jsvn info $REPO" and saving credentials from there make post-commits working again.
Not a good way, but it could help solving this issue temporaly waiting the 2.3 plugin version that correct it.

@Daniel: using the snapshot build gives me:

Mar 31, 2014 10:09:07 AM WARNING winstone.Logger logInternal
Called getReader after getParameter ... error
Mar 31, 2014 10:09:07 AM WARNING hudson.scm.SubversionRepositoryStatus doNotifyCommit
Listener hudson.scm.SubversionRepositoryStatus$JobTriggerListenerImpl threw an uncaught exception
java.lang.NullPointerException
        at com.cloudbees.plugins.credentials.matchers.IdMatcher.<init>(IdMatcher.java:49)
        at com.cloudbees.plugins.credentials.CredentialsMatchers.withId(CredentialsMatchers.java:112)
        at hudson.scm.SubversionSCM$ModuleLocation.openRepository(SubversionSCM.java:2736)
        at hudson.scm.SubversionSCM$ModuleLocation.getUUID(SubversionSCM.java:2711)
        at hudson.scm.SubversionRepositoryStatus$JobTriggerListenerImpl.onNotify(SubversionRepositoryStatus.java:202)
        at hudson.scm.SubversionRepositoryStatus.doNotifyCommit(SubversionRepositoryStatus.java:136)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
        at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
        at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
        at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:390)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:390)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
        at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:45)
        at winstone.ServletConfiguration.execute(ServletConfiguration.java:248)
        at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:376)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
        at com.marvelution.jenkins.plugins.jira.filter.OAuthServletFilter.doFilter(OAuthServletFilter.java:70)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
        at com.marvelution.jenkins.plugins.jira.filter.StreamsServletFilter.doFilter(StreamsServletFilter.java:84)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
        at com.marvelution.jenkins.plugins.jira.filter.ApplinksServletFilter.doFilter(ApplinksServletFilter.java:90)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
        at com.marvelution.jenkins.plugins.jira.oauth.OAuthFilter.doFilter(OAuthFilter.java:82)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
        at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:58)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
        at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
        at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
        at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:79)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
        at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
        at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
        at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
        at winstone.RequestDispatcher.forward(RequestDispatcher.java:331)
        at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:227)
        at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
        at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
        at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
        at java.util.concurrent.FutureTask.run(Unknown Source)
        at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
 
Mar 31, 2014 10:09:07 AM INFO jenkins.scm.impl.subversion.SubversionSCMSource$ListenerImpl onNotify
Received post-commit hook from 9ac4290d-b8dc-5d40-a2b8-e322e6355784 for revision -1 on paths [trunk/BuildCfg/doxyfile.versioninfo, trunk/BuildCfg/doxyfile]
Mar 31, 2014 10:09:07 AM INFO jenkins.scm.impl.subversion.SubversionSCMSource$ListenerImpl onNotify
No subversion consumers for UUID 9ac4290d-b8dc-5d40-a2b8-e322e6355784
Mar 31, 2014 10:09:07 AM WARNING hudson.scm.SubversionRepositoryStatus doNotifyCommit
No interest in change to repository UUID 9ac4290d-b8dc-5d40-a2b8-e322e6355784 found

SVN commit hook change notifcation does not work at all for me using the snapshot build. Even if the change is not in the externals.

Christoph Vogtländer:

Issue appears for me when running the following:

def p = Jenkins.instance.getItemByFullName('job-with-svn-with-externals');

p.scm.with {
  it.getProjectLocations(p).each { loc ->
        println loc
  	println loc.getUUID(p)
  }
}

This mirrors the behavior of Jenkins during the post-commit hook.

Proposed patch that resolves the issue for me (on top of PR 70):

$ git diff
diff --git a/src/main/java/hudson/scm/SubversionSCM.java b/src/main/java/hudson/scm/SubversionSCM.java
index 938b39b..75db1e1 100755
--- a/src/main/java/hudson/scm/SubversionSCM.java
+++ b/src/main/java/hudson/scm/SubversionSCM.java
@@ -2736,7 +2736,7 @@ public class SubversionSCM extends SCM implements Serializable {
                         StandardCredentials cred = CredentialsMatchers
                                 .firstOrNull(CredentialsProvider.lookupCredentials(StandardCredentials.class, context,
                                         ACL.SYSTEM, Collections.<DomainRequirement>emptyList()),
-                                        CredentialsMatchers.allOf(CredentialsMatchers.withId(credentialsId),
+                                        CredentialsMatchers.allOf(CredentialsMatchers.withId(c.getCredentialsId()),
                                                 CredentialsMatchers.anyOf(CredentialsMatchers.instanceOf(
                                                         StandardCredentials.class), CredentialsMatchers.instanceOf(
                                                         SSHUserPrivateKey.class))));

Will probably open the PR tomorrow.

Christoph Vogtländer (or anyone interested in a fix):

I'd appreciate if you could test this – as my original change failed to fix my original description how to reproduce the problem I'd like to get independent confirmation.

PR: https://github.com/jenkinsci/subversion-plugin/pull/74
CI build for it: https://jenkins.ci.cloudbees.com/job/plugins/job/subversion-plugin/336/

Daniel Beck:

Using the new snapshot (PR74/Build 336) fixed the problem for me. At least using your script test code posted in 1 and 2. Tested the scripts with the snapshot from PR70 to confirm failure. The test with PR74 now succeedes.
Also successfully tested with "real" commit hook notification. There are no trace messages left in the log and jobs are triggered correctly. Thanks a lot for your help.

@Daniel Just installed https://jenkins.ci.cloudbees.com/job/plugins/job/subversion-plugin/336/org.jenkins-ci.plugins$subversion/ and removed ~/.subversion that contains "static credentials" added by using jsvn. And got the issue again on externals :

Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: No credential to try. Authentication failed

Re-added credentials by doing a "jsvn info $REPO", and then post-commit works again.

Richard Bergoin: Not sure how many of the preceding comments you read, but please note that this fix simply adds support for "additional credentials" in some code paths that used no credentials at all. You'll still need to define credentials for the explicitly defined modules, you'll still need to add "additional credentials" in case of externals, even within the same repos as your other modules , and you need to specify the correct realm for those so they are considered at all during authentication.

If you read and understood all of the previous comments to this issue, and followed the instructions, but the problem still occurs, please post the entire stack trace, including all the "Caused by" sections. The error message alone is useless.

@Daniel, thanks for reply, here is the log, and the CredentialsSVNAuthenticationProviderImpl logger output make me think that the credentials used for the externals are the one used for the main module (no additional module configured, as you said) :

 
Apr 01, 2014 9:24:45 AM FINE hudson.scm.CredentialsSVNAuthenticationProviderImpl
Attempting auth for URL: https://svn.company.com/repo/tags/project-1.0; Realm: <https://svn.company.com:443> SVN repository
Apr 01, 2014 9:24:45 AM WARNING hudson.scm.SubversionRepositoryStatus$JobTriggerListenerImpl onNotify
Failed to handle Subversion commit notification
org.tmatesoft.svn.core.SVNCancelException: svn: E200015: OPTIONS /repo/tags/project-1.0 failed
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:384)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:373)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:361)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:707)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:627)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:102)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1020)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getRepositoryUUID(DAVRepository.java:148)
	at hudson.scm.SubversionSCM$ModuleLocation.getUUID(SubversionSCM.java:2712)
	at hudson.scm.SubversionRepositoryStatus$JobTriggerListenerImpl.onNotify(SubversionRepositoryStatus.java:202)
	at hudson.scm.SubversionRepositoryStatus.doNotifyCommit(SubversionRepositoryStatus.java:136)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
	at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:390)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
	at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:390)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:74)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
	at org.eclipse.jetty.server.Server.handle(Server.java:370)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
	at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: No credential to try. Authentication failed
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:37)
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:32)
	at org.tmatesoft.svn.core.internal.wc.DefaultSVNAuthenticationManager.getFirstAuthentication(DefaultSVNAuthenticationManager.java:185)
	at hudson.scm.FilterSVNAuthenticationManager.getFirstAuthentication(FilterSVNAuthenticationManager.java:35)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:694)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:382)
	... 85 more

Richard: To clarify, you have one module configured, and no additional credentials? If so, you simply need to do that; externals only have "additional credentials" to work with, even when in the same repo! That log message I added to assist in determining the "realm" to enter, as some users expressed confusion about how that works.

Just add an "additional credential", use

<https://svn.company.com:443> SVN repository

for the realm, and choose whatever credential is appropriate for that repo, could be the same as for the configured module.

To clarify, you have one module configured, and no additional credentials? : yes.

The realm for the external is (I think) the same that the realm of the "main" module, for exemple, an app have an external to a library tag :
https://svn.company.com/app/trunk
have
https://svn.company.com/lib/tags/project-1.0
as externals

Shouldn't main module credentials be applied, as both realms are "<https://svn.company.com:443> SVN repository" ?

Shouldn't main module credentials be applied, as both realms are "<https://svn.company.com:443> SVN repository" ?

should
But ain't: comment-195699
this is why there exists this bug entry after all...

Richard:

Should it? Possibly.
Does it? No.

Which many of the preceding comments mention (e.g. 1 2 3 4).

I was thinking the PR 70 will solve this issue (I misundertood the log and think that it inform the "realm" which will be used to the connection). I can test this issue (as previously with PR 74), if the "possibly" can be assume to be "yes" (but who can decide of this...). From my point of view, credentials are "server based" for continuous, but it could be "repository based" (subpath of a server).
Maybe a "FINE" logging of username used to connect to a repository can be interesting (for debugging purpose).

@Richard: I believe that the credentials have to be "repository based"... Just think of a huge company with many project teams and a fine grained access control for all the repositories hosted on one (or more) SVN server(s).

Matching the URL (of the external) - e.g. https://svn.server.company:443/reporoot/repo/my/external - against a realm string - e.g. https://svn.server.company:443/reporoot/repo - might well suffice for this to work.

I am running Jenkins 1.552 on a Linux master. I have installed svn plugin '2.3-SNAPSHOT(private-03/31/2-14 18:05-jenkins'.
I have a job that runs on a Windows slave that polls a svn repo and does a Visual Studio C++ build if a change is detected. The svn repo has an external link to another svn repo. I have specified an 'additional credential' for the external (I believe correctly). Jenkins gives the following exception when I commit a change to the external repo and run the Jenkins job:

@Jens, Ok for repo base credentials, in fact this is also that we have, I would add a "global credentials" to not have to reconfigure each jobs using this external (more than 30), but the global credentials is domain based (e.g. hostname, so only one global credential for svn.company.com)

Note that we also have CI for our internal libraries, so the credentials are already entered in another job.

Richard: It may be possible, but it's not currently implemented this way (admittedly, the current solution seems a bit weird). If PR70+PR74 work, then only an issue of convenience / redundancy in configuration is left.

David: The error seems to be completely unrelated. I suggest you open a new issue for that.

Anyone able to confirm that PR74 works?

@Richard:
you can use the same method that I used to reconfigure our 20+ jobs:
edit the xml files directly and restart the server as described in comment-196380

I've also installed the snapshot plugin, i've also set the additional credentials, without any luck. As soon as there's a change in one of the externals it fails.

 
hudson.util.IOException2: revision check failed on http://server/svn/repo/...
	at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:189)
	at hudson.scm.SubversionChangeLogBuilder.run(SubversionChangeLogBuilder.java:132)
	at hudson.scm.SubversionSCM.calcChangeLog(SubversionSCM.java:739)
	at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:900)
	at hudson.model.AbstractProject.checkout(AbstractProject.java:1320)
	at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:609)
	at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:88)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:518)
	at hudson.model.Run.execute(Run.java:1688)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:88)
	at hudson.model.Executor.run(Executor.java:231)
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: OPTIONS /svn/repo/... failed
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:384)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:373)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:361)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:707)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:627)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:102)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1020)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getLatestRevision(DAVRepository.java:180)
	at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.getRevisionNumber(SvnNgRepositoryAccess.java:118)
	at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.getLocations(SvnRepositoryAccess.java:148)
	at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepositoryFor(SvnNgRepositoryAccess.java:45)
	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:160)
	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:35)
	at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:20)
	at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1238)
	at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
	at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:967)
	at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:872)
	at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:177)
	... 11 more
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: No credential to try. Authentication failed
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:37)
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:32)
	at org.tmatesoft.svn.core.internal.wc.DefaultSVNAuthenticationManager.getFirstAuthentication(DefaultSVNAuthenticationManager.java:185)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:694)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:382)
	... 29 more

we checkout two modules each with their own credentials
http://server/svn/repo/folder1... with credentials1
http://server/svn/repo/folder2... with credentials1

and i add additional credentials with realm
http://server/svn/repo with credentials1

i've also tried additional credentials with realm
http://server/ with credentials1

(the credentials1 are all the same)

@mikepenz
make sure you entered the realm as described in comment-197898 and comment-196458, not only the url of the repository - it should work for you, too.

<https://svn.company.com:443> SVN repository

Hi Daniel

Sorry, I pasted in the wrong exception. I really am getting one relevant to this issue (see below). I am running your snapshot. The exception is random - sometimes the update succeeds, sometimes it doesn't. This time I used a clean workspace, to clear any cached credentials.

David

davida2009 ok it seems you have the exact same issue we had.

Try to add additinal credentials. It's really important that you use
the correct realm.

The realm in our case is "<http://server:port> SVN Server Name" <-- without "
After migrating to the new subversion plugin the name of the old credentials
was automatically set to the realm of the svn server try to using this one.
our automatically upgraded credentials had a name like
"buildmaster/****** (<http://server:port> SVN Server Name)" just remove the
stuff before and the brackets.

Mike, thanks for your help. I have specified 'additional credentials'. However, until today I had specified a realm of:

which we got from our server configuration. Today I added the url:

but that made no difference. I still get the exception.

Unfortunately there seems to be no documentation in Jenkins about this. Until recently I was completely unaware of the concept of 'realm' in Subversion.

davida: Skip the local path /subversion. Search through my older comments, there's several ways described how you can find out the realm.

@davida2009 i've wrote a small description for others who create builds. perhaps it's useful for someone else too. (the part 4.1. is the important one for you)

how to set additional credentials
1. open the build configuration
2. scroll down to the source-code-management section
3. click on the "Add additional credentials..." button
4. define as realm the specific identifier for our svn server -> (<http://ip:port> Company Subversion Repository) <- without the "(", ")" brackets
4.1. if it should work for a different svn you need to use the realm of this server
4.2. checkout a repo on this server via the command-line --> svn --username

--password

checkout http://ip:port/svn/repo <-- you can cancel this after it has started the checkout
4.3. read all realms available on your mac with this cmd --> "find ~/.subversion/auth/svn.simple/ -type f -exec cat {} + | grep -A 2 realmstring"
4.3.1. other solutions to get the realmstring: comment-196510, comment-196730, comment-196903
4.3.2. there's also another option to get the realmstring. on a pc which was not connected to the svn before, do the following in the therminal:
"svn info http://ip:port/pathtorepo" --> this will output something like "Authentication realm: <http://ip:port> Company Subversion Repository"
5. select the credentials --> "buildmaster/****** (<http://ip:port> Company Subversion Repository)"
6. save and be happy!

Hi Daniel and Mike

Thank you both for your help. Mike's instructions of how to get the realm string were useful and, as Daniel suggested, omitting '/subversion' seems to have worked for me. In summary, I use:

with ip substituted by the actual ip address.

(We use Collabnet's SVN Edge distro, and 'CollabNet Subversion Repository' seems to be the default name).

I'll leave it for a while and see if it is stable.

Best regards

David

Just one more comment: I think it would help diagnosis if the Jenkins svn plugin exception showed which job is failing, not just the svn url that is failing. What it be possible to should the job in the exception listing?

Seems like a big hassle to get authentication done. I would like to keep this as simple as possible by just identifying the hosts domain using wildcards ie: "*.svn-repos.org" no differences in protocol (https, http, svn+ssl...) or authentication realms.

If I have the same account with username/password that has access to multiple repositories in multiple servers, why should I have to enter it a thousand times in many different ways because of variations of protocols and realm strings ??

Hi,

With the latest jenkins 1.557 I'm getting a new issue and a new stack when trying to get the externals :

hudson.util.IOException2: revision check failed on http://....
	at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:189)
	at hudson.scm.SubversionChangeLogBuilder.run(SubversionChangeLogBuilder.java:132)
	at hudson.scm.SubversionSCM.calcChangeLog(SubversionSCM.java:738)
	at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:899)
	at hudson.model.AbstractProject.checkout(AbstractProject.java:1320)
	at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:609)
	at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:88)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:518)
	at hudson.model.Run.execute(Run.java:1688)
	at hudson.matrix.MatrixBuild.run(MatrixBuild.java:304)
	at hudson.model.ResourceController.execute(ResourceController.java:88)
	at hudson.model.Executor.run(Executor.java:231)
	at hudson.model.OneOffExecutor.run(OneOffExecutor.java:43)
Caused by: org.tmatesoft.svn.core.SVNException: svn: E175002: REPORT /svn/.... failed
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:386)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:373)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:361)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:707)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.doReport(DAVConnection.java:334)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.doReport(DAVConnection.java:324)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.logImpl(DAVRepository.java:995)
	at org.tmatesoft.svn.core.io.SVNRepository.log(SVNRepository.java:1035)
	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:181)
	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:35)
	at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:20)
	at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1238)
	at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
	at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:967)
	at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:872)
	at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:177)
	... 12 more
Caused by: svn: E175002: REPORT /svn/.... failed
	at org.tmatesoft.svn.core.SVNErrorMessage.create(SVNErrorMessage.java:208)
	at org.tmatesoft.svn.core.SVNErrorMessage.create(SVNErrorMessage.java:154)
	at org.tmatesoft.svn.core.SVNErrorMessage.create(SVNErrorMessage.java:97)
	... 28 more
Caused by: java.lang.StringIndexOutOfBoundsException: String index out of range: -4
	at java.lang.String.substring(String.java:1875)
	at hudson.scm.DirAwareSVNXMLLogHandler.handleLogEntry(DirAwareSVNXMLLogHandler.java:90)
	at org.tmatesoft.svn.core.internal.wc2.compat.SvnCodec$7.receive(SvnCodec.java:167)
	at org.tmatesoft.svn.core.internal.wc2.compat.SvnCodec$7.receive(SvnCodec.java:164)
	at org.tmatesoft.svn.core.wc2.SvnReceivingOperation.receive(SvnReceivingOperation.java:78)
	at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.handleLogEntry(SvnRemoteLog.java:199)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository$1.handleLogEntry(DAVRepository.java:950)
	at org.tmatesoft.svn.core.internal.io.dav.handlers.DAVLogHandler.endElement(DAVLogHandler.java:226)
	at org.tmatesoft.svn.core.internal.io.dav.handlers.BasicDAVHandler.endElement(BasicDAVHandler.java:103)
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:606)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1742)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2900)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:607)
	at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:116)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:489)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:835)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:764)
	at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:123)
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1210)
	at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:568)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.readData(HTTPConnection.java:911)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.readData(HTTPConnection.java:876)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPRequest.dispatch(HTTPRequest.java:220)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:480)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:382)
	... 27 more
Finished: FAILURE

Once again, this one is completely random

Thanks,
Jocelyn

Jocelyn, this last error message looks like #JENKINS-22199

Code changed in jenkins
User: Daniel Beck
Path:
src/main/java/hudson/scm/SubversionSCM.java
http://jenkins-ci.org/commit/subversion-plugin/69ef77b2957b8f4f5bc9b284baf82aa71269ea98
Log:
JENKINS-21785 Fix for PR 70 / aabd40a

Code changed in jenkins
User: Stephen Connolly
Path:
src/main/java/hudson/scm/SubversionSCM.java
http://jenkins-ci.org/commit/subversion-plugin/a923c5011464bce84772137475df36fb99cd643f
Log:
Merge pull request #74 from daniel-beck/notify-commit-external-credentials

[FIXED JENKINS-21785] Check for changes in folders linked via svn:externals fails due to missing credentials

• Typo in original code and externals credentials were not being resolved correctly. Good catch by @daniel-beck

Compare: https://github.com/jenkinsci/subversion-plugin/compare/0a17b9302a1b...a923c5011464

How do I apply this fix instead of waiting for a new jenkins war version to included this?

Thanks
Andrew.

Unfortunately the issue is still present in multi-configuration projects:

org.tmatesoft.svn.core.SVNCancelException: svn: E200015: OPTIONS /svn/aaa/trunk failed
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:384)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:373)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:361)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:707)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:627)
	at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:102)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1020)
	at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getRepositoryUUID(DAVRepository.java:148)
	at hudson.scm.SubversionSCM$ModuleLocation.getUUID(SubversionSCM.java:2712)
	at hudson.scm.SubversionSCM$ModuleLocation$getUUID.call(Unknown Source)
	at Script1$_run_closure1_closure2.doCall(Script1.groovy:6)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
	at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:272)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:903)
	at groovy.lang.Closure.call(Closure.java:415)
	at groovy.lang.Closure.call(Closure.java:428)
	at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:1379)
	at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:1351)
	at org.codehaus.groovy.runtime.dgm$170.invoke(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:271)
	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
	at Script1$_run_closure1.doCall(Script1.groovy:4)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90)
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233)
	at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:272)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:903)
	at groovy.lang.Closure.call(Closure.java:415)
	at groovy.lang.Closure.call(Closure.java:428)
	at org.codehaus.groovy.runtime.DefaultGroovyMethods.with(DefaultGroovyMethods.java:196)
	at org.codehaus.groovy.runtime.dgm$926.invoke(Unknown Source)
	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:271)
	at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
	at Script1.run(Script1.groovy:3)
	at groovy.lang.GroovyShell.evaluate(GroovyShell.java:580)
	at groovy.lang.GroovyShell.evaluate(GroovyShell.java:618)
	at groovy.lang.GroovyShell.evaluate(GroovyShell.java:589)
	at hudson.util.RemotingDiagnostics$Script.call(RemotingDiagnostics.java:150)
	at hudson.util.RemotingDiagnostics$Script.call(RemotingDiagnostics.java:122)
	at hudson.remoting.LocalChannel.call(LocalChannel.java:45)
	at hudson.util.RemotingDiagnostics.executeGroovy(RemotingDiagnostics.java:119)
	at jenkins.model.Jenkins._doScript(Jenkins.java:3386)
	at jenkins.model.Jenkins.doScript(Jenkins.java:3363)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:45)
	at winstone.ServletConfiguration.execute(ServletConfiguration.java:248)
	at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:376)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
	at com.marvelution.jenkins.plugins.jira.filter.OAuthServletFilter.doFilter(OAuthServletFilter.java:70)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
	at com.marvelution.jenkins.plugins.jira.filter.StreamsServletFilter.doFilter(StreamsServletFilter.java:84)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
	at com.marvelution.jenkins.plugins.jira.filter.ApplinksServletFilter.doFilter(ApplinksServletFilter.java:91)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
	at com.marvelution.jenkins.plugins.jira.oauth.OAuthFilter.doFilter(OAuthFilter.java:77)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
	at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:58)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:79)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
	at winstone.RequestDispatcher.forward(RequestDispatcher.java:331)
	at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:227)
	at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: No credential to try. Authentication failed
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:37)
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:32)
	at org.tmatesoft.svn.core.internal.wc.DefaultSVNAuthenticationManager.getFirstAuthentication(DefaultSVNAuthenticationManager.java:185)
	at hudson.scm.FilterSVNAuthenticationManager.getFirstAuthentication(FilterSVNAuthenticationManager.java:35)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:694)
	at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:382)
	... 128 more

I'm using Jenkins Subversion Plug-In version "2.3-SNAPSHOT (private-03/31/2014 18:05-jenkins)"

Daniel Beck added a comment - 01/Apr/14 8:18 AM
Richard Bergoin: Not sure how many of the preceding comments you read, but please note that this fix simply adds support for "additional credentials" in some code paths that used no credentials at all. You'll still need to define credentials for the explicitly defined modules, you'll still need to add "additional credentials" in case of externals, even within the same repos as your other modules , and you need to specify the correct realm for those so they are considered at all during authentication.
If you read and understood all of the previous comments to this issue, and followed the instructions, but the problem still occurs, please post the entire stack trace, including all the "Caused by" sections. The error message alone is useless.

so if I understood correctly the fix danielbeck made fixes only the hook call and not the "use the specified credentials on all paths" issue and you still have to add the additional credentials (I still have this credential issue, too)

gordin: What's the script you're executing? What are you passing as parameter to getUUID?

Daniel Beck: I'm using the script you provided in a comment above

def p = Jenkins.instance.getItemByFullName('multi_configuration_project');

p.scm.with {
  it.getProjectLocations(p).each { loc ->
        println loc
  	println loc.getUUID(p)
  }
}

Daniel Beck: sorry, all-clear. Adding "additional credentials" including a port number solved the problem. Don't know why. In all other projects I defined:

<https://server> VisualSVN Server

in this project i need:

<https://server:443> VisualSVN Server

Only difference is that this is a multi-configuration project with the sub-configurations running on Linux slaves. All other projects are free-style-projects (running on Windows master or Linux slave)

soukupmi: yes, you need to define additional credentials

soukupmi: Exactly. I fixed only the "bug" part of this issue, not the "weird behavior by design" part. I suggest you open a new issue as an improvement/feature request that e.g. a specific job's normal credentials should also be considered for externals authentication.

gordin: The plugin seems to have some support for legacy credentials, so it's possible jobs predating the upgrade from 1.x to 2.x don't fail in all the ways newer jobs do. See this comment for references to the code building the reference realm strings that are compared to what you enter (exact string match required).

awbeck87: Build the Subversion plugin yourself, or download a snapshot build including the changes, e.g. the HPI from here.

@danielbeck - might be that this issue is a "weird behavior by design", but up to the latest release it was working with no additional credentials.
The last update (Subversion-Plugin from 1.54 to 2.2.) broke that so now I have to define the additional credentials for every job.
This was the reason I opened my bug entry (duplicate) and contributed to this one.
I still think this is a bug as it was a major change in how the credentials are treated, but as the "workaround" with additional credentials works for me I'll leave it at that.

The final 2.3 version of subversion plugin did NOT fix this issue for me, so I would like to reopen this issue. I still get the same error that is reported in the initial bug report.

The "version check fail" seems to be only reported for externals that do have a change. All others are reported "no change for ... since the previous build".

I reopened the issue because the problems are still not resolved for me.

Situation:

• the credentials are "<https://server:443) ..."
• all externals are within the same repository (starting with "^/...")
• version checks are failing with the "missing credentials" error
• only version checks of externals that have in fact changes seem to fail

Plattform:

• Windows 7 x64 for master and clients
• Subversion 1.7 working copies
• Subversion plugin 2.3 final was tested
• Jenkins 1.559 was used for the test

simabeis: have you defined "additional credentials"? This is needed even if the credentials for the local repository and externals are the same.

I'm not sure what you mean by "additional credentials". I added the credentials "<https://server:443) ..." once to the configuration and choose this entry in all my projects (which was very annoying btw).

Marcel: Please post the full realm entered for any 'additional credentials' (the close parenthesis looks wrong already). If there's a realm name of server name you don't want to post. Verify using any of the above mentioned methods that you actually specify the correct realm. Make sure you didn't enter a leading or trailing space into the text field.

Resolving this again, user didn't bother to read the comments for this issue.

simabeis: in every job in section "Source Code Management" below the definition of the Subversion "Modules" you must add "Additional credentials" (there is a button reading "Add additional credentials...") in case there are svn:external definitions (even if the credentials for the externals do not differ from the credentials entered under "Modules").

@simabeis: it is less annoying for you if you edit the config.xml files directly and restart the server as I described in comment-196380
and less annoying for us if you read all comments (especially if there are a lot of explanations and how-tos in these)

@Marcel Beister

I've had the same problem. Perhaps this description helps with solving your problem:
http://stackoverflow.com/a/22812642/325479

Thx for your help, I will try your suggestions this asap. And you are right, I did not read all comments of this thread, sorry for that.

@michael: You should also be aware that other users might run into this problem as well because they do not read the comments from this bug report either

Edited issue description to mention that this has been resolved. Hopefully future visitors read it

I'd still call this "No credentials to try" an unresolved bug (if you open a window to be able to get into a house, it does not fix the broken door, does it?). If specifying additional credentials was a requirement, then every checkout with svn:externals would fail unless additional credentials are added. Instead, these checkouts succeed with and without additional credentials. Even logs with "No credential to try" exception show that all externals were successfully fetched before printing "no change for ..." messages.

Hi,
binary is right. The current solution is only a workaround. A final solution is not available yet.
Reopen?

I'd prefer that a new issue (type Improvement) was opened for anyone disagreeing with the 2.3+ state of the plugin in this regard. As I see it, there were two different, related problems in 2.0:

1. Additional Credentials are required for externals (a deliberate design decision by Stephen Connolly), requiring job config changes.
2. Even that didn't work in some situations due to bugs in the implementation (post-commit hook, polling, ...).

I resolved all occurrences of "2" I could find referencing this issue, as this issue is of type Bug. These are the ones without workaround of changing job configuration.

Requests to change "1" I'd consider to be an "Improvement", unrelated to the existing fixes – so tracking these independently would be best. We can always link to that new issue from the message at the top to direct people there.

Try deleting workspace and running the build, it will succeed without additional credentials, all externals will be checked out. This means that additional credentials are not required. This also means that fixing exception "No credentials to try", when sources in externals are changed, would be a bugfix, not an improvement (those changes are still checked out before an exception).

binary: Please provide some references (i.e. code) for your claims. Because that's not how the plugin works AFAICT.

Externals that are checked out inherit the credential defined for the location which is explicitly being checked out (e.g. SVNUpdateClient.doCheckout() call). Only if these don't work, Additional Credentials are needed.

No such "inheritance" or association to an explicitly configured location exists for externals when polling for changes, they're just another location (automatically, by the plugin) defined in the project – but one without explicitly specified credentials, requiring fallback to Additional Credentials immediately.

Adding this association, or just adding all credentials already used in the project for any external being checked out, would be an improvement. And these are the only options I see right now for the 'Improvement' to go.

danielbeck: as I wrote a few comments ago I too see this as a workaround as the plugin upgrade broke the behaviour (it was working without additional credentials before 2.0) - but I can live with the workaround and I also can follow your explanation (check out vs. change detection)

Maybe you could rephrase your entry in the bug description anyway to make it clearer as your bugfixes do not match the description of the bug entry and thus the bug is not fixed but the behaviour still intended.
Maybe something like

"Since version 2.0 you have to add additional credits to your jobs with externals. You need to reconfigure them as described in the comments below. This behaviour is intended and not a bug."

would be clearer.

I hope I understood it right.

The problem is:
"No such "inheritance" or association to an explicitly configured location exists for externals when polling for changes [...]"

The solution is:
"Adding this association, or just adding all credentials already used in the project for any external [...]"

Why not implementing this solution? It would solve the orginal error of this issue.

Just to clarify why externals need their own credentials.

There is a security risk in using Jenkins' credentials to checkout an external even if the external is the exact same repo as the module you are checking out.

Consider the case where a developer has commit access to /trunk/publicproject in the repo but does not have read access to /trunk/secretproject

The Jenkins admin has locked down Jenkins so that the developer cannot modify the Jenkins jobs.

With the old behaviour, the developer could just commit to /trunk/publicproject adding an svn:external to checkout /trunk/secretproject and modify the build script to tar up the external checkout and email it to themselves... ok they have left a track of what they did, but now the secret project code is no-longer secret... now consider the case where it was that the developer's computer was stolen or hacked.

You could argue that the correct way to handle that would be to give Jenkins two credentials, the first that is scoped to /trunk/publicproject and the second scoped to /trunk/secretproject... well with the old 1.x way Jenkins would just try all credentials until it found one that works... so still lost there

With 2.x you could do that but now you have to remember to use the correct credentials for the correct paths (ok, so credential domains can help there, but it does get a lot more complex... and there are cases where you cannot)

So given that most people just give Jenkins a credential that has read access everywhere, the only safe way to handle externals is to require configuring the credentials to use when checking out the external.

A valid enhancement request would be to give a checkbox (default to off) to use matching module credentials when doing a checkout of externals. That would at least make things easier for the 80% who don't need the gaping security hole fixed because of their permissive SVN server security model.

stephenconnolly: thank you for the clarification.
What I still don't understand regarding this is: the checkout does not always fail (it uses the credentials from the parent project in some cases as e.g. a manual build request or clean checkout as binary mentioned). This would be the security issue you mentioned.

What does fail is the revision check on the external project.

stephenconnolly: consider /trunk/publicproject needs an (svn:externals) to /trunk/sharedlib. The user can then still just add the external definition to /trunk/secretproject and will be able to get the code. You are right where you started before the changes. There is nothing you can do here. IMHO the current behaviour is not adding security but only complexity/obscurity, which is always bad. If you run a public Jenkins instance using a subversion repository with non public code you have to know what you are doing. I think this scenario should be documented on the plug-in page to make sysadmins aware. But I don't think that this is solvable in the plug-in without adding even more complexity.
Maybe it would be better to default "Ignore externals" to "on" and in case the user switches this off notify the user about the possible pitfalls. He can then easily decide to just configure the external explicitly as an additional module.

the svnkit library has been known to leak some credentials anyway...

@Christoph: that would be another approach that is equally valid... I suspect the pair of both defaulting ignoreExternals to on and providing an option to reuse module credentials where matching would be the best of breed solution

@stephenconnolly:
Thanks for the background informations. How about a list of "allowed URLs of externals"?

@WH sadly svnkit does not give you that ability. The only thing it lets you have access to is the realm

wh

Why not implementing this solution? It would solve the orginal error of this issue.

I'm sure a pull request by anyone wishing to provide this would be appreciated by many.

stephenconnolly How does that work given that regular checkout simply reuses the same credential for checking out any externals? If the job configurer provides a sufficiently powerful credential, then any externals will also be checked out. It's only when an external cannot be checked out using the configured credential that it falls back to Additional Credentials.

Therefore I consider it a viable solution to annotate any external location in the project with the module location that introduced it to reuse its credential – at least that's not brute-forcing credentials like in 1.x.

@Daniel Beck

Ha! it only seems that way. What happens is that SVNKit caches the realms/connections it has used already and reuses the existing connection from the connection pool. So it is the SVNKit library pulling the security rug out from under us

A valid enhancement request would be to give a checkbox (default to off) to use matching module credentials when doing a checkout of externals. That would at least make things easier for the 80% who don't need the gaping security hole fixed because of their permissive SVN server security model.

Not sure how that would work. In checkout, it's already effectively this way, and for polling etc. you have no idea which module introduced which external (AFAIK – is there a field I am missing?).

Alternative approach:

The current implementation allows to leave the per-module credentials empty and only specify Additional Credentials (just ignore the scary form validation errors) which are then used for all locations.

We could go one step further and add a 'Default Credentials' field (or reinterpret an Additional Credential with empty realm?). Leave that field empty/don't define such an Additional Credential, and you get the current behavior. Select a credential as Default Credential/define such an Additional Credential and you can skip configuring any others.

This way, users conscious about the security issue prevented by the credentials implementation can continue to specify individual credentials and curse SVNKit for its behavior while the rest can configure one credential, and don't have to care about externals or realms.

WDYT?

danielbeck: alternative approach sounds good. I would go for a explicit "Default credentials" field instead of implicit behaviour when leaving realm empty.