Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
None
-
Platform: All, OS: All
Description
This issue has come up in a thread on the Hudson mailing list so thought I'd
transfer here for an "official" record:
"I am having a problem when I restart hudson after "successfully" setting up
matrix based security.
To set up the Hudson security, I am selecting "Enable Security", then choosing
"Hudson's own user database" and "Project-based Matrix Authorization Strategy".
I then give the anonymous account, "Overall-Read" and "Job-Build" rights, and I
create an admin account that has the right to do everything except "SCM-Tag".
I save this config and everything works great until I try to restart hudson.
When I try to restart hudson I can no longer click around and view the builds as
the non logged in anonymous user like I could before the restart.
Instead I am only prompted for a username and password. When I enter the admin
username and password (which worked many times before therestart), I get this
error message:
Access Denied
org.acegisecurity.providers.UsernamePasswordAuthenticationToken@410ce2ce:
Username: hudson.security.HudsonPrivateSecurityRealm$Details@8e7f54; Password:
[PROTECTED]; Authenticated: true; Details:
org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress:
129.150.66.123; SessionId: 49daddb10088039a2d196487a5ae0a73; Granted
Authorities: authenticated is missing Read
I am using Hudson 1.248
and JDK build 1.5.0_09"
+
"I'm experiencing the same problem. While using "Hudson's own user database,"
I have tried using both the general matrix auth strategy as well as the
project based version. In both cases I also cannot log in to hudson after
restarting Tomcat. The error message I get is:
org.acegisecurity.providers.UsernamePasswordAuthenticationToken@3efe96a3:
Username: hudson.security.HudsonPrivateSecurityRealm$Details@5777b4d3;
Password: [PROTECTED]; Authenticated: true; Details:
org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress:
127.0.0.1; SessionId: A9A673194D39F0426C655FB715F1BB4B; Granted Authorities:
authenticated is missing Read
I am using:
Hudson 1.245
Tomcat 6.0.16
Apache 2.2.3 (reverse proxy to hudson on Tomcat)
Java 1.6.0_06"
+
I have the same issue with 1.245 running as Windows service.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
Activity
Richard Bywater
created issue -
lynggaard
added a comment - I have seen this too...
I had originally set
anonymous to read,
authenticated to build, workspace
two admin account with full access rights
To me it appears as if the anonymous permissions are not stored, thus the
anonymous users cannot do anything, and authenticated users do not have read access
lynggaard
added a comment - I have seen this too...
I had originally set
anonymous to read,
authenticated to build, workspace
two admin account with full access rights
To me it appears as if the anonymous permissions are not stored, thus the
anonymous users cannot do anything, and authenticated users do not have read access 
cacorp
added a comment -
Issue 2454 has been marked as a duplicate of this issue. ***
cacorp
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Link |
This issue is duplicated by |
cacorp
added a comment - Just for completion of the issue description:
I'm using hudson 1.260. It happens using ldap or any other authentication
method.
After succesfully setting up the project based matrix and restarting hudson it
goes back to global matrix authentication.
cacorp
added a comment - Just for completion of the issue description:
I'm using hudson 1.260. It happens using ldap or any other authentication
method.
After succesfully setting up the project based matrix and restarting hudson it
goes back to global matrix authentication. 
Dean Yu
added a comment - This looks like it was broken in 1.255, by the bug to fix the serialized form of
matrix security permissions. The fix is a straightforward replacement of new
GlobalMatrixAuthorizationStrategy() with new
ProjectMatrixAuthorizationStrategy() in
hudson.security.ProjectMatrixAuthorizationStrategy.ConverterImpl.
Dean Yu
added a comment - This looks like it was broken in 1.255, by the bug to fix the serialized form of
matrix security permissions. The fix is a straightforward replacement of new
GlobalMatrixAuthorizationStrategy() with new
ProjectMatrixAuthorizationStrategy() in
hudson.security.ProjectMatrixAuthorizationStrategy.ConverterImpl. Dean Yu
made changes -
| Status | Open [ 1 ] | In Progress [ 3 ] |
Code changed in hudson
User: : dty
Path:
trunk/hudson/main/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
trunk/www/changelog.html
http://fisheye4.cenqua.com/changelog/hudson/?cs=13148
Log:
FIX JENKINS-2305 - Project based Matrix Authorization Strategy reverts to
Global Matrix Authorization Strategy on Hudson restart.
elser
added a comment - The new version of Hudson (1.261) does not completely solve the problem. After
restart I get the ProjectMatrixAuthorizationStrategy unmarshalled successfully
in global configuration, but the per-job boolean information "Enable
project-based security" is lost.
(I use java version "1.5.0_15", Windows XP)
elser
added a comment - The new version of Hudson (1.261) does not completely solve the problem. After
restart I get the ProjectMatrixAuthorizationStrategy unmarshalled successfully
in global configuration, but the per-job boolean information "Enable
project-based security" is lost.
(I use java version "1.5.0_15", Windows XP) 
domd
added a comment - Confirming that this is issue is not completely resolved in 1.261, java 1.5,
Tomcat 6.0, linux.
domd
added a comment - Confirming that this is issue is not completely resolved in 1.261, java 1.5,
Tomcat 6.0, linux. Code changed in hudson
User: : dty
Path:
trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
trunk/hudson/main/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
trunk/www/changelog.html
http://fisheye4.cenqua.com/changelog/hudson/?cs=13223
Log:
FIX JENKINS-2305 - Use Project Security setting not being persisted.
Dean Yu
added a comment - I believe this is completely fixed with 1.262. Dean Yu
made changes -
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Resolved [ 5 ] |
holgergp
added a comment - I am still getting complaints when using Project-based Matrix Security:
Access Denied
org.acegisecurity.providers.UsernamePasswordAuthenticationToken@932218e3:
Username: hudson.security.HudsonPrivateSecurityRealm$Details@f2c499; Password:
[PROTECTED]; Authenticated: true; Details:
org.acegisecurity.ui.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.5.43;
SessionId: D53F6B32BB4C41115A77FDBA9BE2F136; Granted Authorities: authenticated
is missing Administer.
I am using v. 1.262
JDK 1.6.0_10
Tomcat 6.0.18 running as Windows service
I am using Project-based Matrix Security with one administrative role (having
every single right)and various users lacking the "administer"-right. I both
tried the internal user db and Active Directory. If I configure my project
logged in as a "user" then those aforementioned error messages appear on the
configuration page.
holgergp
added a comment - I am still getting complaints when using Project-based Matrix Security:
Access Denied
org.acegisecurity.providers.UsernamePasswordAuthenticationToken@932218e3:
Username: hudson.security.HudsonPrivateSecurityRealm$Details@f2c499; Password:
[PROTECTED] ; Authenticated: true; Details:
org.acegisecurity.ui.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.5.43;
SessionId: D53F6B32BB4C41115A77FDBA9BE2F136; Granted Authorities: authenticated
is missing Administer.
I am using v. 1.262
JDK 1.6.0_10
Tomcat 6.0.18 running as Windows service
I am using Project-based Matrix Security with one administrative role (having
every single right)and various users lacking the "administer"-right. I both
tried the internal user db and Active Directory. If I configure my project
logged in as a "user" then those aforementioned error messages appear on the
configuration page. holgergp
made changes -
| Resolution | Fixed [ 1 ] | |
| Status | Resolved [ 5 ] | Reopened [ 4 ] |
Dean Yu
added a comment - Do you have this problem only after you restart Hudson? Or does it not work ever?
Dean Yu
added a comment - Do you have this problem only after you restart Hudson? Or does it not work ever? Probably the remaining issue from that last comment is from validators.. those
permission checks now fixed from issue #2715. Closing this one again, reopen if
there is still any issue in 1.268 or newer.
| Resolution | Fixed [ 1 ] | |
| Status | Reopened [ 4 ] | Resolved [ 5 ] |
| Status | Resolved [ 5 ] | Closed [ 6 ] |
| Workflow | JNJira [ 132378 ] | JNJira + In-Review [ 201363 ] |
Jenkins IRC Bot
made changes -
| Component/s | _unsorted [ 19622 ] | |
| Component/s | security [ 15508 ] |
I also have this issue using the 'Project-based Matrix Authorization Strategy',
but it seems like 'Matrix-based security' works fine. I use the LDAP security
realm, and my security matrix is respected for both user and group.
When looking at config.xml, it seems like project-based matrix isn't serializing
right, it's not as neat and tidy as matrix-based security. And failing to
deserialize the security settings would probably produce the exception we're
getting.
Hudson 1.252
OpenJDK Runtime Environment 1.6.0_0-b11
Tomcat 6.0.18