• Type: Bug
• Resolution: Fixed
• Priority: Major
• Component/s: reverse-proxy-auth-plugin, suppress-stack-trace-plugin
• Labels:

  • security
  • stacktrace
• Environment:

  Hide

  Operating System
  -bash-4.1$ cat /etc/oracle-release && uname -a
  Oracle Linux Server release 6.5
  Linux dsdsesvcai101v 3.8.13-68.2.2.el6uek.x86_64 #2 SMP Tue May 12 15:10:51 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux
  
  Java
  -bash-4.1$ /etc/alternatives/java -version
  java version "1.8.0_40"
  Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
  Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)
  
  Jenkins & Plugins
  System Properties
  
  Name ↓
  Value
  awt.toolkit sun.awt.X11.XToolkit
  executable-war /usr/lib/jenkins/jenkins.war
  file.encoding UTF-8
  file.encoding.pkg sun.io
  file.separator /
  hudson.diyChunking true
  hudson.DNSMultiCast.disabled true
  java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
  java.awt.headless true
  java.awt.printerjob sun.print.PSPrinterJob
  java.class.path /usr/lib/jenkins/jenkins.war
  java.class.version 52.0
  java.endorsed.dirs /usr/java/jdk1.8.0_40/jre/lib/endorsed
  java.ext.dirs /usr/java/jdk1.8.0_40/jre/lib/ext:/usr/java/packages/lib/ext
  java.home /usr/java/jdk1.8.0_40/jre
  java.io.tmpdir /tmp
  java.library.path /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
  java.runtime.name Java(TM) SE Runtime Environment
  java.runtime.version 1.8.0_40-b26
  java.specification.name Java Platform API Specification
  java.specification.vendor Oracle Corporation
  java.specification.version 1.8
  java.vendor Oracle Corporation
  java.vendor.url http://java.oracle.com/
  java.vendor.url.bug http://bugreport.sun.com/bugreport/
  java.version 1.8.0_40
  java.vm.info mixed mode
  java.vm.name Java HotSpot(TM) 64-Bit Server VM
  java.vm.specification.name Java Virtual Machine Specification
  java.vm.specification.vendor Oracle Corporation
  java.vm.specification.version 1.8
  java.vm.vendor Oracle Corporation
  java.vm.version 25.40-b25
  JENKINS_HOME /apps/jenkins
  jna.platform.library.path /usr/lib64:/lib64:/usr/lib:/lib
  jnidispatch.path /tmp/jna--1712433994/jna6000391753915357396.tmp
  line.separator
  mail.smtp.sendpartial true
  mail.smtps.sendpartial true
  os.arch amd64
  os.name Linux
  os.version 3.8.13-68.2.2.el6uek.x86_64
  path.separator :
  sun.arch.data.model 64
  sun.boot.class.path /usr/java/jdk1.8.0_40/jre/lib/resources.jar:/usr/java/jdk1.8.0_40/jre/lib/rt.jar:/usr/java/jdk1.8.0_40/jre/lib/sunrsasign.jar:/usr/java/jdk1.8.0_40/jre/lib/jsse.jar:/usr/java/jdk1.8.0_40/jre/lib/jce.jar:/usr/java/jdk1.8.0_40/jre/lib/charsets.jar:/usr/java/jdk1.8.0_40/jre/lib/jfr.jar:/usr/java/jdk1.8.0_40/jre/classes
  sun.boot.library.path /usr/java/jdk1.8.0_40/jre/lib/amd64
  sun.cpu.endian little
  sun.cpu.isalist
  sun.font.fontmanager sun.awt.X11FontManager
  sun.io.unicode.encoding UnicodeLittle
  sun.java.command /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
  sun.java.launcher SUN_STANDARD
  sun.jnu.encoding UTF-8
  sun.management.compiler HotSpot 64-Bit Tiered Compilers
  sun.os.patch.level unknown
  user.country US
  user.dir /
  user.home /var/lib/jenkins
  user.language en
  user.name jenkins
  user.timezone America/Chicago
  Environment Variables
  
  Name ↓
  Value
  _ /etc/alternatives/java
  HOME /var/lib/jenkins
  LANG en_US.UTF-8
  LOGNAME jenkins
  NLSPATH /usr/dt/lib/nls/msg/%L/%N.cat
  PATH /sbin:/usr/sbin:/bin:/usr/bin
  PWD /
  SHELL /bin/bash
  SHLVL 2
  TERM xterm-256color
  USER jenkins
  XFILESEARCHPATH /usr/dt/app-defaults/%L/Dt
  Plugins
  
  Name ↓
  Version
  Enabled
  Pinned
  ant 1.2 true false
  antisamy-markup-formatter 1.3 true true
  cloudbees-folder 4.10 true false
  credentials 1.24 true true
  credentials-binding 1.6 true false
  cvs 2.12 false true
  external-monitor-job 1.4 true false
  git 2.4.0 true false
  git-client 1.19.0 true false
  javadoc 1.3 true true
  junit 1.9 true true
  ldap 1.11 true false
  mailer 1.15 true true
  matrix-auth 1.2 true true
  matrix-project 1.6 true true
  maven-plugin 2.12.1 true true
  metrics 3.1.2 true false
  pam-auth 1.2 true true
  plain-credentials 1.1 true false
  reverse-proxy-auth-plugin 1.4.0 true false
  saml 0.4 false false
  scm-api 0.2 true false
  script-security 1.15 true true
  shiningpanda 0.22 true false
  ssh-agent 1.8 true false
  ssh-credentials 1.11 true true
  ssh-slaves 1.10 true true
  suppress-stack-trace 1.4 true false
  translation 1.12 false true
  windows-slaves 1.1 false true
  workflow-step-api 1.10.1 true false
  
  
  Jenkins running directly (no container)
  
  Jenkins accessed via reverse proxy
  Access Control: HTTP Header by reverse proxy

  Show

  Operating System -bash-4.1$ cat /etc/oracle-release && uname -a Oracle Linux Server release 6.5 Linux dsdsesvcai101v 3.8.13-68.2.2.el6uek.x86_64 #2 SMP Tue May 12 15:10:51 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux Java -bash-4.1$ /etc/alternatives/java -version java version "1.8.0_40" Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode) Jenkins & Plugins System Properties Name ↓ Value awt.toolkit sun.awt.X11.XToolkit executable-war /usr/lib/jenkins/jenkins.war file.encoding UTF-8 file.encoding.pkg sun.io file.separator / hudson.diyChunking true hudson.DNSMultiCast.disabled true java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.path /usr/lib/jenkins/jenkins.war java.class.version 52.0 java.endorsed.dirs /usr/java/jdk1.8.0_40/jre/lib/endorsed java.ext.dirs /usr/java/jdk1.8.0_40/jre/lib/ext:/usr/java/packages/lib/ext java.home /usr/java/jdk1.8.0_40/jre java.io.tmpdir /tmp java.library.path /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 1.8.0_40-b26 java.specification.name Java Platform API Specification java.specification.vendor Oracle Corporation java.specification.version 1.8 java.vendor Oracle Corporation java.vendor.url http://java.oracle.com/ java.vendor.url.bug http://bugreport.sun.com/bugreport/ java.version 1.8.0_40 java.vm.info mixed mode java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Oracle Corporation java.vm.specification.version 1.8 java.vm.vendor Oracle Corporation java.vm.version 25.40-b25 JENKINS_HOME /apps/jenkins jna.platform.library.path /usr/lib64:/lib64:/usr/lib:/lib jnidispatch.path /tmp/jna--1712433994/jna6000391753915357396.tmp line.separator mail.smtp.sendpartial true mail.smtps.sendpartial true os.arch amd64 os.name Linux os.version 3.8.13-68.2.2.el6uek.x86_64 path.separator : sun.arch.data.model 64 sun.boot.class.path /usr/java/jdk1.8.0_40/jre/lib/resources.jar:/usr/java/jdk1.8.0_40/jre/lib/rt.jar:/usr/java/jdk1.8.0_40/jre/lib/sunrsasign.jar:/usr/java/jdk1.8.0_40/jre/lib/jsse.jar:/usr/java/jdk1.8.0_40/jre/lib/jce.jar:/usr/java/jdk1.8.0_40/jre/lib/charsets.jar:/usr/java/jdk1.8.0_40/jre/lib/jfr.jar:/usr/java/jdk1.8.0_40/jre/classes sun.boot.library.path /usr/java/jdk1.8.0_40/jre/lib/amd64 sun.cpu.endian little sun.cpu.isalist sun.font.fontmanager sun.awt.X11FontManager sun.io.unicode.encoding UnicodeLittle sun.java.command /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 sun.java.launcher SUN_STANDARD sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Tiered Compilers sun.os.patch.level unknown user.country US user.dir / user.home /var/lib/jenkins user.language en user.name jenkins user.timezone America/Chicago Environment Variables Name ↓ Value _ /etc/alternatives/java HOME /var/lib/jenkins LANG en_US.UTF-8 LOGNAME jenkins NLSPATH /usr/dt/lib/nls/msg/%L/%N.cat PATH /sbin:/usr/sbin:/bin:/usr/bin PWD / SHELL /bin/bash SHLVL 2 TERM xterm-256color USER jenkins XFILESEARCHPATH /usr/dt/app-defaults/%L/Dt Plugins Name ↓ Version Enabled Pinned ant 1.2 true false antisamy-markup-formatter 1.3 true true cloudbees-folder 4.10 true false credentials 1.24 true true credentials-binding 1.6 true false cvs 2.12 false true external-monitor-job 1.4 true false git 2.4.0 true false git-client 1.19.0 true false javadoc 1.3 true true junit 1.9 true true ldap 1.11 true false mailer 1.15 true true matrix-auth 1.2 true true matrix-project 1.6 true true maven-plugin 2.12.1 true true metrics 3.1.2 true false pam-auth 1.2 true true plain-credentials 1.1 true false reverse-proxy-auth-plugin 1.4.0 true false saml 0.4 false false scm-api 0.2 true false script-security 1.15 true true shiningpanda 0.22 true false ssh-agent 1.8 true false ssh-credentials 1.11 true true ssh-slaves 1.10 true true suppress-stack-trace 1.4 true false translation 1.12 false true windows-slaves 1.1 false true workflow-step-api 1.10.1 true false Jenkins running directly (no container) Jenkins accessed via reverse proxy Access Control: HTTP Header by reverse proxy

1. stacktrace.txt

   2016-04-05 19:52

   6 kB

   Josh Cook

2. jenkins-23417594.png

   2015-11-17 20:40

   602 kB

   Josh Cook

[JENKINS-31612] Stack trace shown with suppress-stack-trace plugin installed

Load more older comments

Collapse comment: Ivan Fernandez Calvo added a comment - 2016-09-09 07:17

Ivan Fernandez Calvo added a comment - 2016-09-09 07:17

This plugin overwrites the method createFilter from SecurityRealm and I think it breaks the filter chain and it does not passes by ExceptionTranslationFilter and UnwrapSecurityExceptionFilter

https://github.com/jenkinsci/reverse-proxy-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java#L450-L556

Expand comment: Ivan Fernandez Calvo added a comment - 2016-09-09 07:17

Ivan Fernandez Calvo added a comment - 2016-09-09 07:17 This plugin overwrites the method createFilter from SecurityRealm and I think it breaks the filter chain and it does not passes by ExceptionTranslationFilter and UnwrapSecurityExceptionFilter https://github.com/jenkinsci/reverse-proxy-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java#L450-L556

Collapse comment: Andrew Bayer added a comment - 2016-10-13 15:12

Andrew Bayer added a comment - 2016-10-13 15:12

ifernandezcalvo So would we want something more like https://github.com/jenkinsci/cas-plugin/blob/master/src/main/java/org/jenkinsci/plugins/cas/CasSecurityRealm.java#L172-L176, adding the new filter to the existing chain?

Expand comment: Andrew Bayer added a comment - 2016-10-13 15:12

Andrew Bayer added a comment - 2016-10-13 15:12 ifernandezcalvo So would we want something more like https://github.com/jenkinsci/cas-plugin/blob/master/src/main/java/org/jenkinsci/plugins/cas/CasSecurityRealm.java#L172-L176 , adding the new filter to the existing chain?

Collapse comment: Ivan Fernandez Calvo added a comment - 2016-10-13 15:50, Edited by Ivan Fernandez Calvo - 2016-10-13 15:51

Ivan Fernandez Calvo added a comment - 2016-10-13 15:50 - edited

abayer Yes, it probably works if it is added the filters missing

Expand comment: Ivan Fernandez Calvo added a comment - 2016-10-13 15:50, Edited by Ivan Fernandez Calvo - 2016-10-13 15:51

Ivan Fernandez Calvo added a comment - 2016-10-13 15:50 - edited abayer Yes, it probably works if it is added the filters missing

Collapse comment: Ivan Fernandez Calvo added a comment - 2016-10-13 22:20

Ivan Fernandez Calvo added a comment - 2016-10-13 22:20

abayer It works, I'm going to make a couple of test more and do the pull request

Expand comment: Ivan Fernandez Calvo added a comment - 2016-10-13 22:20

Ivan Fernandez Calvo added a comment - 2016-10-13 22:20 abayer It works, I'm going to make a couple of test more and do the pull request

Collapse comment: Andrew Bayer added a comment - 2016-10-14 06:41

Andrew Bayer added a comment - 2016-10-14 06:41

Great! Assigning to you. =)

Expand comment: Andrew Bayer added a comment - 2016-10-14 06:41

Andrew Bayer added a comment - 2016-10-14 06:41 Great! Assigning to you. =)

Collapse comment: Ivan Fernandez Calvo added a comment - 2016-10-15 23:21, Edited by Ivan Fernandez Calvo - 2016-10-15 23:21

Ivan Fernandez Calvo added a comment - 2016-10-15 23:21 - edited

tested now all access denied exceptions are controlled.
I made the PR with the fix.

Expand comment: Ivan Fernandez Calvo added a comment - 2016-10-15 23:21, Edited by Ivan Fernandez Calvo - 2016-10-15 23:21

Ivan Fernandez Calvo added a comment - 2016-10-15 23:21 - edited tested now all access denied exceptions are controlled. I made the PR with the fix.

Collapse comment: SCM/JIRA link daemon added a comment - 2016-12-02 19:55

SCM/JIRA link daemon added a comment - 2016-12-02 19:55

Code changed in jenkins
User: Ivan Fernandez Calvo
Path:
src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java
http://jenkins-ci.org/commit/reverse-proxy-auth-plugin/dc7808b503d4ae2d2e7c74fa35df0821c1b794f0
Log:
JENKINS-31612 creates the default filter and adds the new filter to the chain, so maintains the correct filter chain and unwarps access denied exceptions

Expand comment: SCM/JIRA link daemon added a comment - 2016-12-02 19:55

SCM/JIRA link daemon added a comment - 2016-12-02 19:55 Code changed in jenkins User: Ivan Fernandez Calvo Path: src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java http://jenkins-ci.org/commit/reverse-proxy-auth-plugin/dc7808b503d4ae2d2e7c74fa35df0821c1b794f0 Log: JENKINS-31612 creates the default filter and adds the new filter to the chain, so maintains the correct filter chain and unwarps access denied exceptions

Collapse comment: SCM/JIRA link daemon added a comment - 2016-12-02 19:55

SCM/JIRA link daemon added a comment - 2016-12-02 19:55

Code changed in jenkins
User: Wilder Rodrigues
Path:
src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java
http://jenkins-ci.org/commit/reverse-proxy-auth-plugin/cfa947cdc738e3ef992e99089bd207b12aaa4480
Log:
Merge pull request #28 from kuisathaverat/JENKINS-31612

JENKINS-31612 Fix filter chain

Compare: https://github.com/jenkinsci/reverse-proxy-auth-plugin/compare/f31a7875d611...cfa947cdc738

Expand comment: SCM/JIRA link daemon added a comment - 2016-12-02 19:55

SCM/JIRA link daemon added a comment - 2016-12-02 19:55 Code changed in jenkins User: Wilder Rodrigues Path: src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java http://jenkins-ci.org/commit/reverse-proxy-auth-plugin/cfa947cdc738e3ef992e99089bd207b12aaa4480 Log: Merge pull request #28 from kuisathaverat/ JENKINS-31612 JENKINS-31612 Fix filter chain Compare: https://github.com/jenkinsci/reverse-proxy-auth-plugin/compare/f31a7875d611...cfa947cdc738

Collapse comment: Josh Cook added a comment - 2016-12-14 21:06

Josh Cook added a comment - 2016-12-14 21:06

I see that changes to address have been merged into the suppress-stack-trace plugin master branch, but there hasn't been a subsequent release.

Is there any ETA for when a new version of this plugin will be available including these changes?

Expand comment: Josh Cook added a comment - 2016-12-14 21:06

Josh Cook added a comment - 2016-12-14 21:06 I see that changes to address have been merged into the suppress-stack-trace plugin master branch, but there hasn't been a subsequent release. Is there any ETA for when a new version of this plugin will be available including these changes?

Collapse comment: Oleg Nenashev added a comment - 2018-01-29 17:20

Oleg Nenashev added a comment - 2018-01-29 17:20

It has been actually released in 1.6.0

Expand comment: Oleg Nenashev added a comment - 2018-01-29 17:20

Oleg Nenashev added a comment - 2018-01-29 17:20 It has been actually released in 1.6.0