There is something strange with web container authentication and Anonymous user.
I have two interesting cases (mightbe it requires two different bugs).
The base situation is the following. Configure hudson under a Java EE container
(I use Glassfish). Start hudson and configure it to enable security with
container based authentication and project matrix based authorization. Also
configure a user with administrative role from the container security realm.
- Leave the Administrative role on Anonymous user. I've done it with the
reason, that if something goes wrong with the domain authentication I still can
fix the security settings. After testing the security I had wanted to revoke
admin right from anonymous.
- The result on login is IllegalStateException prior #4822
- The result is 404 on page j_acegi_secutity_check after #4822
- Rewoke all rights from Anonymous user.
- Well this leaded to IllegalStateException prior #4822 after fixing that
issue hudson is looping on noPrincipals
- The workaround is: type <site>/hudson/login in the browser and login with an
administrative user and grant Anonymous user an overall read permission.
Conclusion: Right now with container based security Anonimous user is required
and it shall have only overall read permission.