Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-4071

jnlp slaves doesn't support HTTP Auth

    XMLWordPrintable

    Details

    • Type: Patch
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Environment:
      Platform: Macintosh, OS: All
    • Similar Issues:

      Description

      the jnlp slaves can't ship the auth credentials right now to get past a HTTP
      Basic Authed hudson setup. This little patch may be a bit hacky and only support
      Basic Auth, but it does the job for me.

      $ java -jar slave.jar -noCertificateCheck -jnlpUrl
      https://example.org/hudson/computer/NAME/slave-agent.jnlp -jnlpCredentials
      user:password

      Index: main/remoting/src/main/java/hudson/remoting/Launcher.java
      ===================================================================
      — main/remoting/src/main/java/hudson/remoting/Launcher.java (revision 19965)
      +++ main/remoting/src/main/java/hudson/remoting/Launcher.java (working copy)
      @@ -94,6 +94,9 @@
      "Connection parameters are obtained by parsing the JNLP file.")
      public URL slaveJnlpURL = null;

      + @Option(name="-jnlpCredentials")
      + public String slaveJnlpCredentials = null;
      +
      @Option(name="-cp",aliases="-classpath",metaVar="PATH",
      usage="add the given classpath elements to the system classloader.")
      public void addClasspath(String pathList) throws Exception {
      @@ -185,6 +188,12 @@
      while (true) {
      try {
      URLConnection con = slaveJnlpURL.openConnection();
      + if (con instanceof HttpURLConnection && slaveJnlpCredentials !=
      null)

      { + HttpURLConnection http = (HttpURLConnection) con; + String userPassword = slaveJnlpCredentials; + String encoding = new sun.misc.BASE64Encoder().encode (userPassword.getBytes()); + http.setRequestProperty ("Authorization", "Basic " + encoding); + }

      con.connect();

      if (con instanceof HttpURLConnection) {
      @@ -216,6 +225,10 @@
      List<String> jnlpArgs = new ArrayList<String>();
      for( int i=0; i<argElements.getLength(); i++ )
      jnlpArgs.add(argElements.item.getTextContent());
      + if (slaveJnlpCredentials != null)

      { + jnlpArgs.add("-credentials"); + jnlpArgs.add(slaveJnlpCredentials); + }

      // force a headless mode
      jnlpArgs.add("-headless");
      return jnlpArgs;
      Index: main/remoting/src/main/java/hudson/remoting/Engine.java
      ===================================================================
      — main/remoting/src/main/java/hudson/remoting/Engine.java (revision 19965)
      +++ main/remoting/src/main/java/hudson/remoting/Engine.java (working copy)
      @@ -78,6 +78,7 @@

      private final String secretKey;
      public final String slaveName;
      + private String credentials;

      /**

      • See Main#tunnel in the jnlp-agent module for the details.
        @@ -103,6 +104,10 @@
        this.tunnel = tunnel;
        }

      + public void setCredentials(String creds)

      { + this.credentials = creds; + }

      +
      public void setNoReconnect(boolean noReconnect)

      { this.noReconnect = noReconnect; }

      @@ -130,6 +135,11 @@

      // find out the TCP port
      HttpURLConnection con =
      (HttpURLConnection)salURL.openConnection();
      + if (con instanceof HttpURLConnection && credentials != null)

      { + HttpURLConnection http = (HttpURLConnection) con; + String encoding = new sun.misc.BASE64Encoder().encode (credentials.getBytes()); + http.setRequestProperty ("Authorization", "Basic " + encoding); + }

      try

      { con.connect(); }

      catch (IOException x) {
      Index: main/remoting/src/main/java/hudson/remoting/jnlp/Main.java
      ===================================================================
      — main/remoting/src/main/java/hudson/remoting/jnlp/Main.java (revision 19965)
      +++ main/remoting/src/main/java/hudson/remoting/jnlp/Main.java (working copy)
      @@ -64,6 +64,10 @@
      usage="Specify the Hudson root URLs to connect to.")
      public final List<URL> urls = new ArrayList<URL>();

      + @Option(name="-credentials",metaVar="USER:PASSWORD",
      + usage="Specify the Hudson credentials")
      + public String credentials;
      +
      @Option(name="-noreconnect",
      usage="If the connection ends, don't retry and just exit.")
      public boolean noReconnect = false;
      @@ -111,6 +115,8 @@
      urls, args.get(0), args.get(1));
      if(tunnel!=null)
      engine.setTunnel(tunnel);
      + if(credentials!=null)
      + engine.setCredentials(credentials);
      engine.setNoReconnect(noReconnect);
      engine.start();
      engine.join();

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -
                • Issue 4072 has been marked as a duplicate of this issue. ***
            Show
            jglick Jesse Glick added a comment - Issue 4072 has been marked as a duplicate of this issue. ***
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            Please put the patch as an attachment to avoid automatic line wraps.

            There's one thing I don't understand, though — Even when the security is
            enabled, all the URLs that JNLP slaves need to access is outside access control.

            Are you setting up BASIC auth at the front end Apache or something?

            Show
            kohsuke Kohsuke Kawaguchi added a comment - Please put the patch as an attachment to avoid automatic line wraps. There's one thing I don't understand, though — Even when the security is enabled, all the URLs that JNLP slaves need to access is outside access control. Are you setting up BASIC auth at the front end Apache or something?
            Hide
            weigon weigon added a comment -

            Created an attachment (id=789)
            added Basic Auth to JNPL

            Show
            weigon weigon added a comment - Created an attachment (id=789) added Basic Auth to JNPL
            Hide
            weigon weigon added a comment -

            Yes, we use apache with auth in the frontend and hudson behind it. We have a
            more than one service behind this frontend apache and auth only once to use them
            all.

            The auth-code of this patch is a bit hacky and only does Basic Auth.

            Show
            weigon weigon added a comment - Yes, we use apache with auth in the frontend and hudson behind it. We have a more than one service behind this frontend apache and auth only once to use them all. The auth-code of this patch is a bit hacky and only does Basic Auth.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in hudson
            User: : kohsuke
            Path:
            trunk/hudson/main/remoting/src/main/java/hudson/remoting/Engine.java
            trunk/hudson/main/remoting/src/main/java/hudson/remoting/Launcher.java
            trunk/hudson/main/remoting/src/main/java/hudson/remoting/jnlp/Main.java
            trunk/www/changelog.html
            http://fisheye4.cenqua.com/changelog/hudson/?cs=23113
            Log:
            [FIXED JENKINS-4071] Applied the change toward 1.331.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/remoting/src/main/java/hudson/remoting/Engine.java trunk/hudson/main/remoting/src/main/java/hudson/remoting/Launcher.java trunk/hudson/main/remoting/src/main/java/hudson/remoting/jnlp/Main.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=23113 Log: [FIXED JENKINS-4071] Applied the change toward 1.331.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in hudson
            User: : kohsuke
            Path:
            trunk/hudson/main/remoting/src/main/java/hudson/remoting/Engine.java
            trunk/www/changelog.html
            http://jenkins-ci.org/commit/31576
            Log:
            [FIXED JENKINS-6262] HTTP auth support was added in JENKINS-4071, so I've only integrated the portion that specifies the timeout and a call to disconnect(). Will be in 1.361.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/remoting/src/main/java/hudson/remoting/Engine.java trunk/www/changelog.html http://jenkins-ci.org/commit/31576 Log: [FIXED JENKINS-6262] HTTP auth support was added in JENKINS-4071 , so I've only integrated the portion that specifies the timeout and a call to disconnect(). Will be in 1.361.
            Hide
            cforce101 cforce101 added a comment -

            Is it possible to modify the jnlp this way that the user will be asked if he wann accept the self-signed certificate instead of using parameter "noCertificateCheck" on cmd line call?
            Else is there any other solution to make the default jnlp work with self-signed certificates when using ssl?

            Show
            cforce101 cforce101 added a comment - Is it possible to modify the jnlp this way that the user will be asked if he wann accept the self-signed certificate instead of using parameter "noCertificateCheck" on cmd line call? Else is there any other solution to make the default jnlp work with self-signed certificates when using ssl?
            Hide
            ringerc Craig Ringer added a comment -

            This doesn't change the example commands to show the authentication argument on the node info page, so you have to research how to get the slave to work once you hit this problem.

            Show
            ringerc Craig Ringer added a comment - This doesn't change the example commands to show the authentication argument on the node info page, so you have to research how to get the slave to work once you hit this problem.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              weigon weigon
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: