Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71092

Adom group issue after jenkins upgrade

XMLWordPrintable

      We are facing ADOM group issue when adding it using the 'Add group' option. we upgraded Jenkins from 2.264.4 to 2.387.1 LTS The process of upgrade is

      1. Uninstalled java 8 and installed java 11
      2. Replaced Tomcat 9.0.50 with 9.0.70
      3. Under tomcat/webapps, deleted old Jenkins.war (2.264.4) and added new jenkins.war (2.387.1 LTS).
      4. We have a custom directory path for Jenkins file system which is untouched.
      5. Started tomcat service to start upgraded Jenkins and was loaded with all the pre existing data, jobs, plugins, and configs.
      6. In the pluginManager > updates, we updated selective plugins as per required.
      7. The Role-based Authorization Strategy Plugin in upgraded Jenkins is (587.588.v850a_20a_30162) and the old Jenkins is (3.1.1).

      FYI - This is no plugin issue as we have another upgraded Jenkins running with the same set of plugins and running with no issue.

      Authentication type enabled:
      1. Security Realm - SAML 2.0
      2. Project-based Matrix Authorization Strategy 

      After the ADOM group is added, we see a red exclamation, and when clicked on (show details) below is the error displayed... 

      java.lang.IllegalArgumentException: A granted authority textual representation is required
at org.springframework.util.Assert.hasText(Assert.java:289)
at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:68)
at org.jenkinsci.plugins.saml.SamlGroupDetails.hasGroupOnAuthorities(SamlGroupDetails.java:65)
at org.jenkinsci.plugins.saml.SamlGroupDetails.lambda$getMembers$0(SamlGroupDetails.java:55)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
at org.jenkinsci.plugins.saml.SamlGroupDetails.getMembers(SamlGroupDetails.java:53)
at org.jenkinsci.plugins.saml.SamlSecurityRealm.loadGroupByGroupname2(SamlSecurityRealm.java:633)
at org.jenkinsci.plugins.matrixauth.ValidationUtil.validateGroup(ValidationUtil.java:68)
at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:190)
at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222)
at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:289)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:779)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:157)
at com.splunk.splunkjenkins.WebPostAccessLogger.doFilter(WebPostAccessLogger.java:39)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at org.jenkinsci.plugins.corsfilter.AccessControlsFilter.doFilter(AccessControlsFilter.java:79)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:81)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at javax.servlet.FilterChain$doFilter.call(Unknown Source)
at com.ceilfors.jenkins.plugins.jiratrigger.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.groovy:29)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:64)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:160)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:110)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:891)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1784)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)

          [JENKINS-71092] Adom group issue after jenkins upgrade

          Akhil T created issue -
          Akhil T made changes -
          Description Original: We are facing ADOM group issue when adding it using the 'Add group' option. we upgraded Jenkins from 2.264.4 to 2.387.1 LTS The process of upgrade is

          1. Uninstalled java 8 and installed java 11
          2. Replaced Tomcat 9.0.50 with 9.0.70
          3. Under tomcat/webapps, deleted old Jenkins.war (2.264.4) and added new jenkins.war (2.387.1 LTS).
          4. We have a custom directory path for Jenkins file system which is untouched.
          5. Started tomcat service to start upgraded Jenkins and was loaded with all the pre existing data, jobs, plugins, and configs.
          6. In the pluginManager > updates, we updated selective plugins as per required.
          7. The Role-based Authorization Strategy Plugin in upgraded Jenkins is (587.588.v850a_20a_30162) and the old Jenkins is (3.1.1).

          FYI - This is no plugin issue as we have another upgraded Jenkins running with the same set of plugins and running with no issue.

          Authentication type enabled:
          1. Security Realm - SAML 2.0
          2. Project-based Matrix Authorization Strategy 


          After the ADOM group is added, we see a red exclamation, and when clicked on (show details) below is the error displayed... (Also see screenshot)


          {code:java}
          java.lang.IllegalArgumentException: A granted authority textual representation is required
          at org.springframework.util.Assert.hasText(Assert.java:289)
          at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
          at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:68)
          at org.jenkinsci.plugins.saml.SamlGroupDetails.hasGroupOnAuthorities(SamlGroupDetails.java:65)
          at org.jenkinsci.plugins.saml.SamlGroupDetails.lambda$getMembers$0(SamlGroupDetails.java:55)
          at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
          at org.jenkinsci.plugins.saml.SamlGroupDetails.getMembers(SamlGroupDetails.java:53)
          at org.jenkinsci.plugins.saml.SamlSecurityRealm.loadGroupByGroupname2(SamlSecurityRealm.java:633)
          at org.jenkinsci.plugins.matrixauth.ValidationUtil.validateGroup(ValidationUtil.java:68)
          at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:190)
          at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222)
          at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
          at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
          at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
          at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
          at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
          at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
          at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:289)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
          at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:779)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:157)
          at com.splunk.splunkjenkins.WebPostAccessLogger.doFilter(WebPostAccessLogger.java:39)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at org.jenkinsci.plugins.corsfilter.AccessControlsFilter.doFilter(AccessControlsFilter.java:79)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:81)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
          at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
          at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
          at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at javax.servlet.FilterChain$doFilter.call(Unknown Source)
          at com.ceilfors.jenkins.plugins.jiratrigger.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.groovy:29)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:64)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:160)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
          at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
          at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:110)
          at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
          at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
          at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
          at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
          at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
          at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
          at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
          at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
          at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:891)
          at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1784)
          at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
          at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
          at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
          at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
          at java.base/java.lang.Thread.run(Thread.java:829){code}           		New: We are facing ADOM group issue when adding it using the 'Add group' option. we upgraded Jenkins from 2.264.4 to 2.387.1 LTS The process of upgrade is

          1. Uninstalled java 8 and installed java 11
          2. Replaced Tomcat 9.0.50 with 9.0.70
          3. Under tomcat/webapps, deleted old Jenkins.war (2.264.4) and added new jenkins.war (2.387.1 LTS).
          4. We have a custom directory path for Jenkins file system which is untouched.
          5. Started tomcat service to start upgraded Jenkins and was loaded with all the pre existing data, jobs, plugins, and configs.
          6. In the pluginManager > updates, we updated selective plugins as per required.
          7. The Role-based Authorization Strategy Plugin in upgraded Jenkins is (587.588.v850a_20a_30162) and the old Jenkins is (3.1.1).

          FYI - This is no plugin issue as we have another upgraded Jenkins running with the same set of plugins and running with no issue.

          Authentication type enabled:
          1. Security Realm - SAML 2.0
          2. Project-based Matrix Authorization Strategy 

          After the ADOM group is added, we see a red exclamation, and when clicked on (show details) below is the error displayed... 
          {code:java}
          java.lang.IllegalArgumentException: A granted authority textual representation is required
          at org.springframework.util.Assert.hasText(Assert.java:289)
          at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
          at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:68)
          at org.jenkinsci.plugins.saml.SamlGroupDetails.hasGroupOnAuthorities(SamlGroupDetails.java:65)
          at org.jenkinsci.plugins.saml.SamlGroupDetails.lambda$getMembers$0(SamlGroupDetails.java:55)
          at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
          at org.jenkinsci.plugins.saml.SamlGroupDetails.getMembers(SamlGroupDetails.java:53)
          at org.jenkinsci.plugins.saml.SamlSecurityRealm.loadGroupByGroupname2(SamlSecurityRealm.java:633)
          at org.jenkinsci.plugins.matrixauth.ValidationUtil.validateGroup(ValidationUtil.java:68)
          at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:190)
          at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222)
          at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
          at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
          at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
          at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
          at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
          at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
          at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:289)
          at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
          at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
          at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
          at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:779)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:157)
          at com.splunk.splunkjenkins.WebPostAccessLogger.doFilter(WebPostAccessLogger.java:39)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at org.jenkinsci.plugins.corsfilter.AccessControlsFilter.doFilter(AccessControlsFilter.java:79)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:81)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
          at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
          at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
          at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at javax.servlet.FilterChain$doFilter.call(Unknown Source)
          at com.ceilfors.jenkins.plugins.jiratrigger.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.groovy:29)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:64)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
          at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:160)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
          at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
          at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:110)
          at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
          at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
          at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
          at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
          at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
          at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
          at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
          at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
          at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
          at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
          at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:891)
          at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1784)
          at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
          at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
          at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
          at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
          at java.base/java.lang.Thread.run(Thread.java:829){code}

          Daniel Beck added a comment - - edited

          Role-based Authorization Strategy Plugin in upgraded Jenkins is (587.588.v850a_20a_30162)

          Why does the version of https://plugins.jenkins.io/role-strategy/ matter, when you're using https://plugins.jenkins.io/matrix-auth/ ?

          This looks like an empty group name, or null is recorded in the LastGrantedAuthoritiesProperty of  one of the users in JENKINS_HOME/users. Check those XML files for the serialized list of recorded group memberships and remove any that look like they represent an empty string.

          matrix-auth is not involved in recording groups or this code path beyond a general group lookup, so I'm removing that component. The likely culprit is SAML Plugin, or core.

          Daniel Beck added a comment - - edited Role-based Authorization Strategy Plugin in upgraded Jenkins is (587.588.v850a_20a_30162) Why does the version of https://plugins.jenkins.io/role-strategy/ matter, when you're using https://plugins.jenkins.io/matrix-auth/ ? This looks like an empty group name, or null is recorded in the LastGrantedAuthoritiesProperty of  one of the users in JENKINS_HOME/users . Check those XML files for the serialized list of recorded group memberships and remove any that look like they represent an empty string. matrix-auth is not involved in recording groups or this code path beyond a general group lookup, so I'm removing that component. The likely culprit is SAML Plugin, or core.
          Daniel Beck made changes -
          Component/s Original: matrix-auth-plugin [ 18131 ]
          Daniel Beck made changes -
          Assignee Original: Daniel Beck [ danielbeck ] New: Oleg Nenashev [ oleg_nenashev ]
          Daniel Beck made changes -
          Component/s New: saml-plugin [ 20321 ]
          Component/s Original: role-strategy-plugin [ 15758 ]
          Daniel Beck made changes -
          Assignee Original: Oleg Nenashev [ oleg_nenashev ] New: Ivan Fernandez Calvo [ ifernandezcalvo ]

          Ivan Fernandez Calvo added a comment -

          If the SAML Response has a granted group with an empty content, that’s is a wrong IdP implementation/configuration, it is something unexpected and probable against the definition of the SAML response, so this issue is not a blocker at all. Please set the priority to normal or even low.

          After said that, if a granted group is empty the SAML plugin probably pass it to the core function that saves that field. The thing is where we punt the defensive code in the SAML plugin and we cover only the case for SAML or we put the filter in the Core to cover any bad data that come from external sources.

          Ivan Fernandez Calvo added a comment - If the SAML Response has a granted group with an empty content, that’s is a wrong IdP implementation/configuration, it is something unexpected and probable against the definition of the SAML response, so this issue is not a blocker at all. Please set the priority to normal or even low. After said that, if a granted group is empty the SAML plugin probably pass it to the core function that saves that field. The thing is where we punt the defensive code in the SAML plugin and we cover only the case for SAML or we put the filter in the Core to cover any bad data that come from external sources.
          Ivan Fernandez Calvo made changes -
          Priority Original: Blocker [ 1 ] New: Minor [ 4 ]

          Ivan Fernandez Calvo added a comment - - edited

          Checking the SAML plugin code, the groups are already filtered https://github.com/jenkinsci/saml-plugin/blob/main/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java#L502-L508. Hence, it is complicated that the SAML plugin generates that empty I don't know where that empty group comes from, but it is returned by jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:68).
          The user is making an upgrade or adding a group to a user, the initial comment confuses me. I doubt that all users have the same problem, so find the user with the weird LastGrantedAuthoritiesProperty and move its user folder to another place them make the upgrade(or whatever it is doing).

          Ivan Fernandez Calvo added a comment - - edited Checking the SAML plugin code, the groups are already filtered https://github.com/jenkinsci/saml-plugin/blob/main/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java#L502-L508 . Hence, it is complicated that the SAML plugin generates that empty I don't know where that empty group comes from, but it is returned by jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:68). The user is making an upgrade or adding a group to a user, the initial comment confuses me. I doubt that all users have the same problem, so find the user with the weird LastGrantedAuthoritiesProperty and move its user folder to another place them make the upgrade(or whatever it is doing).

            ifernandezcalvo Ivan Fernandez Calvo
            akhitak Akhil T
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: