Hi there,

I've had a really "fun" time in triggering a not so nice usability bug while configuring Jenkins' global security settings.

First, please take a look at the following screenshot that depicts a part of the "Configure Global Security" page available at http://$JENKINS_HOST/configureSecurity/.

What's the issue and how can it be reproduced?
Users who change the Authorization mode from Anyone can do anything to Matrix-based security and set up the corresponding users correctly will most likely experience a hard to understand problem. After the user has made and saved the described changes the user will see a stack trace with an error message stating 'anonymous is missing the Overall/Read permission'.

This error message is really confusing as it's pretty much contradicting to what the user wanted to achieve in the first place. While I was trying to find out what really went wrong, I finally decided to give it a try and give anonymous full privileges to everything. And hey, it all worked again - at least at first sight. But as soon as a user tries to login using the 'log in' page it will fail with another hard to decipher error. The user will see an HTTP 404 error and some text claiming that there's a problem in accessing /j_acegi_security_check.

What is the cause of the issue?
Well, as it turns out I just forgot to select a Security Realm like Jenkins' own user database, for example.

How could the issue be fixed?
I think there should be some kind of a warning telling the user that the selected combination of options is invalid. In my screenshot above that shows the configuration dialog it can clearly be seen that the radio button of the Authorization section has not active selection set by default. I'm not sure if it makes sense to have a default selection for it. So at least a little warning would probably help a lot to avoid such misconfiguration troubles.

Regards,
Andreas