Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74800

Reverse Proxy Auth Plugin 1.7.7 fails with 2.479.1

    • 1.8.0

      Hi,

      After upgrading from 2.462.3 to 2.479.1, jenkins starts but fails with the following stacktrace. Nothings is accessible as we have enforced security with LDAP groups to jobs.

      After having rollbacked, I have seen the release notes regarding Spring 6 and the need to manually update the LDAP plugin, it could be related, but not quite sure as this plugin does not seem to use Spring Security.

       

      Thanks!

      [Loading global config] jenkins.model.Jenkins$5.runTask Loading global config failed perhaps due to plugin dependency issues
          java.lang.NoSuchMethodError: 'void org.springframework.util.Assert.hasLength(java.lang.String)'
              at PluginClassLoader for reverse-proxy-auth-plugin//org.acegisecurity.ldap.LdapUtils.parseRootDnFromUrl(LdapUtils.java:107)
              at PluginClassLoader for reverse-proxy-auth-plugin//org.acegisecurity.ldap.DefaultInitialDirContextFactory.setProviderUrl(DefaultInitialDirContextFactory.java:144)
              at PluginClassLoader for reverse-proxy-auth-plugin//org.acegisecurity.ldap.DefaultInitialDirContextFactory.<init>(DefaultInitialDirContextFactory.java:124)
              at PluginClassLoader for reverse-proxy-auth-plugin//org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm.createSecurityComponents(ReverseProxySecurityRealm.java:623)
              at hudson.security.SecurityRealm.getSecurityComponents(SecurityRealm.java:604)
              at hudson.security.HudsonFilter.reset(HudsonFilter.java:139)
              at jenkins.model.Jenkins.resetFilter(Jenkins.java:2820)
              at jenkins.model.Jenkins.load(Jenkins.java:3432)
              at jenkins.model.Jenkins$12.run(Jenkins.java:3528)
              at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:177)
              at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:305)
              at jenkins.model.Jenkins$5.runTask(Jenkins.java:1195)
              at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:221)
              at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:120)
              at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
              at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
              at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
              at java.base/java.lang.Thread.run(Thread.java:1583)

          [JENKINS-74800] Reverse Proxy Auth Plugin 1.7.7 fails with 2.479.1

          Mark Waite added a comment - - edited

          I think that the stack trace indicates that the plugin has not migrated from acegi security to Spring Security.  Jenkins core changed from acegi security to Spring Security in November 2020 as announced in a blog post, in JEP-227, and in the Jenkins 2.277.1 changelog and upgrade guide.

          The acegi security version that is included in the reverse proxy auth plugin includes a reference to a Spring Framework method that is not available in Spring Framework 6. I think that one path forward is to complete the migration from acegi security to Spring Security in the plugin source code.

          I have submitted a pull request that modernizes the plugin to require Jenkins 2.452.4 or newer in hopes that will help others as they migrate from acegi security to Spring Security.

          Mark Waite added a comment - - edited I think that the stack trace indicates that the plugin has not migrated from acegi security to Spring Security.  Jenkins core changed from acegi security to Spring Security in November 2020 as announced in a blog post , in JEP-227 , and in the Jenkins 2.277.1 changelog and upgrade guide . The acegi security version that is included in the reverse proxy auth plugin includes a reference to a Spring Framework method that is not available in Spring Framework 6. I think that one path forward is to complete the migration from acegi security to Spring Security in the plugin source code. I have submitted a pull request that modernizes the plugin to require Jenkins 2.452.4 or newer in hopes that will help others as they migrate from acegi security to Spring Security.

          Robert Smith added a comment - - edited

          Thanks, that was my assumption too.

          BTW, your PR does not remove acegi security from dependencies, is this expected ? Once this is merged, is there any more work to do to make the plugin work with the newer jenkins version ?

          Thanks!

          Robert Smith added a comment - - edited Thanks, that was my assumption too. BTW, your PR does not remove acegi security from dependencies, is this expected ? Once this is merged, is there any more work to do to make the plugin work with the newer jenkins version ? Thanks!

          Mark Waite added a comment -

          BTW, your PR does not remove acegi security from dependencies, is this expected ?

          It is expected but not desired. My pull request is the first (easy) step that I hoped would help someone else make the more difficult step of migrating the plugin from acecgi security to Spring Security. I don't have any experience with reverse proxy authorization or with the acegi to Spring Security migration, so I did the thing that is most familiar to me first.

          Once this is merged, is there any more work to do to make the plugin work with the newer jenkins version ?

          Yes, I believe there is much more work required before the plugin will work with Jenkins 2.479.1 and newer.

          Mark Waite added a comment - BTW, your PR does not remove acegi security from dependencies, is this expected ? It is expected but not desired. My pull request is the first (easy) step that I hoped would help someone else make the more difficult step of migrating the plugin from acecgi security to Spring Security. I don't have any experience with reverse proxy authorization or with the acegi to Spring Security migration, so I did the thing that is most familiar to me first. Once this is merged, is there any more work to do to make the plugin work with the newer jenkins version ? Yes, I believe there is much more work required before the plugin will work with Jenkins 2.479.1 and newer.

          Mark Waite added a comment - - edited

          If you have a disposable Jenkins controller where you can test something interactively, you could try the incremental build result from a draft pull request that does a very poor, partial update to require Jenkins 2.479.1. That pull request is probably useless because the plugin really does need to migrate from acegi security to Spring Security, but if you have the capacity to try it, that might help the maintainers when they have capacity to work on the issue.

          https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/140/checks?check_run_id=32386950716 is the GitHub checks page for the most recent build of that very poor, partial update.

          Mark Waite added a comment - - edited If you have a disposable Jenkins controller where you can test something interactively, you could try the incremental build result from a draft pull request that does a very poor, partial update to require Jenkins 2.479.1. That pull request is probably useless because the plugin really does need to migrate from acegi security to Spring Security, but if you have the capacity to try it, that might help the maintainers when they have capacity to work on the issue. https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/140/checks?check_run_id=32386950716 is the GitHub checks page for the most recent build of that very poor, partial update.

          Robert Smith added a comment - - edited

          thanks again, I have tested an a fresh 2.479.1 with build 1.8.0-rc228.c28cb_7c13148 of the plugin from your PR but no luck unfortunately. The stacktrace is still the same.

          Robert Smith added a comment - - edited thanks again, I have tested an a fresh 2.479.1 with build 1.8.0-rc228.c28cb_7c13148 of the plugin from your PR but no luck unfortunately. The stacktrace is still the same.

          Ignacio added a comment -

          Hi, We can only log-in using LDAP and we updated today to 2.479.1 and the same problem arises. I reported this JENKINS-74802 a few minutes ago.

          Ignacio added a comment - Hi, We can only log-in using LDAP and we updated today to 2.479.1 and the same problem arises. I reported this JENKINS-74802 a few minutes ago.

          Robert Smith added a comment -

          ihr That's not the same problem. I guess you should follow the release notes regarding the LDAP plugin that needs to be manually updated

           

          https://www.jenkins.io/doc/upgrade-guide/2.479/

          Robert Smith added a comment - ihr That's not the same problem. I guess you should follow the release notes regarding the LDAP plugin that needs to be manually updated   https://www.jenkins.io/doc/upgrade-guide/2.479/

          Mark Waite added a comment -

          mamamia the reverse proxy auth plugin needs a new maintainer. The comment from 2020 notes that it needs to be adopted. Recent releases have been from someone that is helping as time allows but is not an active user / maintainer. Are you interested in adopting the plugin?

          Mark Waite added a comment - mamamia the reverse proxy auth plugin needs a new maintainer. The comment from 2020 notes that it needs to be adopted. Recent releases have been from someone that is helping as time allows but is not an active user / maintainer. Are you interested in adopting the plugin?

          Robert Smith added a comment -

          markewaite I can give a shot to this Spring 6 migration next days.

          Any useful resource on this migration or an example of a plugin that has performed the migration recently ?

          Robert Smith added a comment - markewaite I can give a shot to this Spring 6 migration next days. Any useful resource on this migration or an example of a plugin that has performed the migration recently ?

          Mark Waite added a comment -

          Some resources that might help include:

          Mark Waite added a comment - Some resources that might help include: Brief Google groups thread discussing reverse proxy auth plugin migration from acegi to Spring Security JEP 227 - Replace Acegi Security with Spring Security & upgrade Spring Framework

          Basil Crow added a comment -

          I took a stab at this in https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/147 but with only light testing. I haven't tested the header groups feature, so I would appreciate if someone could test that.

          Basil Crow added a comment - I took a stab at this in https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/147 but with only light testing. I haven't tested the header groups feature, so I would appreciate if someone could test that.

          Basil Crow added a comment -

          Basil Crow added a comment - Fixed in jenkinsci/reverse-proxy-auth-plugin#147 .

          Basil Crow added a comment - - edited

          Basil Crow added a comment - - edited Fixed in jenkinsci/reverse-proxy-auth-plugin#147 . Released in 1.8.0 .

          Robert Smith added a comment - - edited

          thanks!

          Do you think I should force the plugin upgrade before upgrading, in order to not being stuck once Jenkins restart ?

          Or is there a way to upgrade the plugin in a sort of "headless" mode before the restart of the new version ? 

           

          EDIT : I see that the documentation has been upgraded, awesome !

           
          To upgrade the Reverse Proxy Auth plugin, follow these steps:

          1. Stop the Jenkins service with systemctl stop jenkins on Linux or similar commands on other operating systems.
          1. Download the Reverse Proxy Auth plugin from the Jenkins update center.
          1. Move reverse-proxy-auth-plugin.hpi into $JENKINS_HOME/plugins/reverse-proxy-auth-plugin.jpi and set the correct ownership and permissions.
          1. Start the Jenkins service with systemctl start jenkins or similar commands on other operating systems.

           

          Robert Smith added a comment - - edited thanks! Do you think I should force the plugin upgrade before upgrading, in order to not being stuck once Jenkins restart ? Or is there a way to upgrade the plugin in a sort of "headless" mode before the restart of the new version ?    EDIT : I see that the documentation has been upgraded, awesome !   To upgrade the Reverse Proxy Auth plugin, follow these steps: Stop the Jenkins service with  systemctl stop jenkins  on Linux or similar commands on other operating systems. Download the Reverse Proxy Auth plugin from the  Jenkins update center . Move reverse-proxy-auth-plugin.hpi into $JENKINS_HOME/plugins/reverse-proxy-auth-plugin.jpi and set the correct ownership and permissions. Start the Jenkins service with  systemctl start jenkins  or similar commands on other operating systems.  

            basil Basil Crow
            mamamia Robert Smith
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: