Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-4827

anonymous user vs web container security (loop on noPrincipals)

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • _unsorted
    • Platform: All, OS: All

    Description

      There is something strange with web container authentication and Anonymous user.
      I have two interesting cases (mightbe it requires two different bugs).
      The base situation is the following. Configure hudson under a Java EE container
      (I use Glassfish). Start hudson and configure it to enable security with
      container based authentication and project matrix based authorization. Also
      configure a user with administrative role from the container security realm.

      Case one:

      • Leave the Administrative role on Anonymous user. I've done it with the
        reason, that if something goes wrong with the domain authentication I still can
        fix the security settings. After testing the security I had wanted to revoke
        admin right from anonymous.
      • The result on login is IllegalStateException prior #4822
      • The result is 404 on page j_acegi_secutity_check after #4822

      Case two:

      • Rewoke all rights from Anonymous user.
      • Well this leaded to IllegalStateException prior #4822 after fixing that
        issue hudson is looping on noPrincipals
      • The workaround is: type <site>/hudson/login in the browser and login with an
        administrative user and grant Anonymous user an overall read permission.

      Conclusion: Right now with container based security Anonimous user is required
      and it shall have only overall read permission.

      Attachments

        Activity

          lkishalmi lkishalmi added a comment -

          I made some additional checks. Even with Anonymous with overall read permission
          you need to use <site>/hudson/login url to log in.

          My quick and dirty workaround in LegacySecurityRealm.java:
          @Override
          public String getLoginUrl() {
          return "login";
          }

          So the login links points to the page where I can really log in. I don't think
          that this workarond is a solution as the code I changed is nearly two yerars old
          and it used to work before.

          lkishalmi lkishalmi added a comment - I made some additional checks. Even with Anonymous with overall read permission you need to use <site>/hudson/login url to log in. My quick and dirty workaround in LegacySecurityRealm.java: @Override public String getLoginUrl() { return "login"; } So the login links points to the page where I can really log in. I don't think that this workarond is a solution as the code I changed is nearly two yerars old and it used to work before.

          People

            Unassigned Unassigned
            lkishalmi lkishalmi
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated: