• Icon: Patch Patch
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Platform: Macintosh, OS: All

      the jnlp slaves can't ship the auth credentials right now to get past a HTTP
      Basic Authed hudson setup. This little patch may be a bit hacky and only support
      Basic Auth, but it does the job for me.

      $ java -jar slave.jar -noCertificateCheck -jnlpUrl
      https://example.org/hudson/computer/NAME/slave-agent.jnlp -jnlpCredentials
      user:password

      Index: main/remoting/src/main/java/hudson/remoting/Launcher.java
      ===================================================================
      — main/remoting/src/main/java/hudson/remoting/Launcher.java (revision 19965)
      +++ main/remoting/src/main/java/hudson/remoting/Launcher.java (working copy)
      @@ -94,6 +94,9 @@
      "Connection parameters are obtained by parsing the JNLP file.")
      public URL slaveJnlpURL = null;

      + @Option(name="-jnlpCredentials")
      + public String slaveJnlpCredentials = null;
      +
      @Option(name="-cp",aliases="-classpath",metaVar="PATH",
      usage="add the given classpath elements to the system classloader.")
      public void addClasspath(String pathList) throws Exception {
      @@ -185,6 +188,12 @@
      while (true) {
      try {
      URLConnection con = slaveJnlpURL.openConnection();
      + if (con instanceof HttpURLConnection && slaveJnlpCredentials !=
      null)

      { + HttpURLConnection http = (HttpURLConnection) con; + String userPassword = slaveJnlpCredentials; + String encoding = new sun.misc.BASE64Encoder().encode (userPassword.getBytes()); + http.setRequestProperty ("Authorization", "Basic " + encoding); + }

      con.connect();

      if (con instanceof HttpURLConnection) {
      @@ -216,6 +225,10 @@
      List<String> jnlpArgs = new ArrayList<String>();
      for( int i=0; i<argElements.getLength(); i++ )
      jnlpArgs.add(argElements.item.getTextContent());
      + if (slaveJnlpCredentials != null)

      { + jnlpArgs.add("-credentials"); + jnlpArgs.add(slaveJnlpCredentials); + }

      // force a headless mode
      jnlpArgs.add("-headless");
      return jnlpArgs;
      Index: main/remoting/src/main/java/hudson/remoting/Engine.java
      ===================================================================
      — main/remoting/src/main/java/hudson/remoting/Engine.java (revision 19965)
      +++ main/remoting/src/main/java/hudson/remoting/Engine.java (working copy)
      @@ -78,6 +78,7 @@

      private final String secretKey;
      public final String slaveName;
      + private String credentials;

      /**

      • See Main#tunnel in the jnlp-agent module for the details.
        @@ -103,6 +104,10 @@
        this.tunnel = tunnel;
        }

      + public void setCredentials(String creds)

      { + this.credentials = creds; + }

      +
      public void setNoReconnect(boolean noReconnect)

      { this.noReconnect = noReconnect; }

      @@ -130,6 +135,11 @@

      // find out the TCP port
      HttpURLConnection con =
      (HttpURLConnection)salURL.openConnection();
      + if (con instanceof HttpURLConnection && credentials != null)

      { + HttpURLConnection http = (HttpURLConnection) con; + String encoding = new sun.misc.BASE64Encoder().encode (credentials.getBytes()); + http.setRequestProperty ("Authorization", "Basic " + encoding); + }

      try

      { con.connect(); }

      catch (IOException x) {
      Index: main/remoting/src/main/java/hudson/remoting/jnlp/Main.java
      ===================================================================
      — main/remoting/src/main/java/hudson/remoting/jnlp/Main.java (revision 19965)
      +++ main/remoting/src/main/java/hudson/remoting/jnlp/Main.java (working copy)
      @@ -64,6 +64,10 @@
      usage="Specify the Hudson root URLs to connect to.")
      public final List<URL> urls = new ArrayList<URL>();

      + @Option(name="-credentials",metaVar="USER:PASSWORD",
      + usage="Specify the Hudson credentials")
      + public String credentials;
      +
      @Option(name="-noreconnect",
      usage="If the connection ends, don't retry and just exit.")
      public boolean noReconnect = false;
      @@ -111,6 +115,8 @@
      urls, args.get(0), args.get(1));
      if(tunnel!=null)
      engine.setTunnel(tunnel);
      + if(credentials!=null)
      + engine.setCredentials(credentials);
      engine.setNoReconnect(noReconnect);
      engine.start();
      engine.join();

          [JENKINS-4071] jnlp slaves doesn't support HTTP Auth

          Jesse Glick added a comment -
              • Issue 4072 has been marked as a duplicate of this issue. ***

          Jesse Glick added a comment - Issue 4072 has been marked as a duplicate of this issue. ***

          Please put the patch as an attachment to avoid automatic line wraps.

          There's one thing I don't understand, though — Even when the security is
          enabled, all the URLs that JNLP slaves need to access is outside access control.

          Are you setting up BASIC auth at the front end Apache or something?

          Kohsuke Kawaguchi added a comment - Please put the patch as an attachment to avoid automatic line wraps. There's one thing I don't understand, though — Even when the security is enabled, all the URLs that JNLP slaves need to access is outside access control. Are you setting up BASIC auth at the front end Apache or something?

          weigon added a comment -

          Created an attachment (id=789)
          added Basic Auth to JNPL

          weigon added a comment - Created an attachment (id=789) added Basic Auth to JNPL

          weigon added a comment -

          Yes, we use apache with auth in the frontend and hudson behind it. We have a
          more than one service behind this frontend apache and auth only once to use them
          all.

          The auth-code of this patch is a bit hacky and only does Basic Auth.

          weigon added a comment - Yes, we use apache with auth in the frontend and hudson behind it. We have a more than one service behind this frontend apache and auth only once to use them all. The auth-code of this patch is a bit hacky and only does Basic Auth.

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/remoting/src/main/java/hudson/remoting/Engine.java
          trunk/hudson/main/remoting/src/main/java/hudson/remoting/Launcher.java
          trunk/hudson/main/remoting/src/main/java/hudson/remoting/jnlp/Main.java
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=23113
          Log:
          [FIXED JENKINS-4071] Applied the change toward 1.331.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/remoting/src/main/java/hudson/remoting/Engine.java trunk/hudson/main/remoting/src/main/java/hudson/remoting/Launcher.java trunk/hudson/main/remoting/src/main/java/hudson/remoting/jnlp/Main.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=23113 Log: [FIXED JENKINS-4071] Applied the change toward 1.331.

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/remoting/src/main/java/hudson/remoting/Engine.java
          trunk/www/changelog.html
          http://jenkins-ci.org/commit/31576
          Log:
          [FIXED JENKINS-6262] HTTP auth support was added in JENKINS-4071, so I've only integrated the portion that specifies the timeout and a call to disconnect(). Will be in 1.361.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/remoting/src/main/java/hudson/remoting/Engine.java trunk/www/changelog.html http://jenkins-ci.org/commit/31576 Log: [FIXED JENKINS-6262] HTTP auth support was added in JENKINS-4071 , so I've only integrated the portion that specifies the timeout and a call to disconnect(). Will be in 1.361.

          cforce101 added a comment -

          Is it possible to modify the jnlp this way that the user will be asked if he wann accept the self-signed certificate instead of using parameter "noCertificateCheck" on cmd line call?
          Else is there any other solution to make the default jnlp work with self-signed certificates when using ssl?

          cforce101 added a comment - Is it possible to modify the jnlp this way that the user will be asked if he wann accept the self-signed certificate instead of using parameter "noCertificateCheck" on cmd line call? Else is there any other solution to make the default jnlp work with self-signed certificates when using ssl?

          Craig Ringer added a comment -

          This doesn't change the example commands to show the authentication argument on the node info page, so you have to research how to get the slave to work once you hit this problem.

          Craig Ringer added a comment - This doesn't change the example commands to show the authentication argument on the node info page, so you have to research how to get the slave to work once you hit this problem.

            Unassigned Unassigned
            weigon weigon
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: