Connection Error when Jenkins blocks anonymous user

[GoogleCodeExporter]

What steps will reproduce the problem?
1. block access to Jenkins for anonymous user
2.
3.

What is the expected output? What do you see instead?
SoS should able to connect to a jenkins with an valid account when anonymous 
access is forbidden, but it doesn't.
I am not able to use "configure Server" and I do not see the status of 
configured jobs.

What version of the product are you using? On what operating system?
1.6.0 on WinXP and Win7

If appropriate please provide a stack trace (see
http://sirenofshame.blogspot.com/2012/01/how-to-report-errors.html)

2012-07-19 14:21:14,128 [CiWatcher] ERROR SirenOfShame.Lib.Watcher.WebClientXml 
[(null)] - Error connecting to server with the following url: 
http://192.168.9.201:8080/job/OpenNet Java Build and Tests Trunk/api/xml

<html><head><meta http-equiv='refresh' 
content='1;url=/login?from=%2Fjob%2FOpenNet%2520Java%2520Build%2520and%2520Tests
%2520Trunk%2Fapi%2Fxml'/><script>window.location.replace('/login?from=%2Fjob%2FO
penNet%2520Java%2520Build%2520and%2520Tests%2520Trunk%2Fapi%2Fxml');</script></h
ead><body style='background-color:white; color:white;'>Authentication 
required</body></html>                                                          

System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
   at System.Net.WebClient.DownloadString(Uri address)
   at System.Net.WebClient.DownloadString(String address)
   at SirenOfShame.Lib.Watcher.WebClientXml.DownloadXml(String url, String userName, String password, String cookie)

Please provide any additional information below.
we use "LDAP Plugin" and "Role-based Authorization Strategy" Plugin.
It was working up to now, but apparently as anonymous user and not with the 
provided credentials.
As soon as i re-enable the anonymous user, SoS is working again.
But that's no option because we have to enhedge our servers.

Original issue reported on code.google.com by BrainBug...@gmail.com on 19 Jul 2012 at 12:46

[GoogleCodeExporter]

I've been trying to reproduce, but not having much luck.  Could you please 
provide more details on how your Jenkins is configured.  I've added the "LDAP 
Plugin" but am unable to configure.  When I look for documentation it gives me 
a 404 for:

https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin

It looks like it has a dependency on the "Jenkins Active Directory plugin" so I 
installed that, but it isn't adding authentication, perhaps because my machine 
is not a member of a domain (I was hoping it would just use the local machine 
accounts).  The documentation isn't much help.

I haven't bothered with the "role based authorization" plugin since I can't get 
authentication working.

Perhaps the problem is SoS doesn't provide a domain.  Have you tried specifying 
one in the username (e.g. domaon\user)?  That still wouldn't explain why 
previous versions worked.  

Not sure how to proceed.

Original comment by lpric...@gmail.com on 28 Jul 2012 at 1:29

[GoogleCodeExporter]

you have to use an AD to be able to authenticate via the AD plugin. 
The "role strategy plugin" is probably not the problem (it only extends the 
funktionality to authorize global and/or on a project basis)

I tried to add "domain\" in configuration, but there was no change. (also on 
manual connects to jenkins with my browser there is no domain necessary)

As far as I can say it's not a new bug. 
Up to now I allowed read access for anonymous users and used AD and role based 
strategy configuration for further rights without any Problem.
The problem come's up when you completely block anonymous access. 
When you do so, any calls of jenkins URLs are redirected to the login page - 
maybe that's the problem?
As soon as i re-enable read access on job-level to the anonymous user, SoS is 
working again!

To eliminate the redirect as a possible reason, I tried to reactivate global 
read access to the user "anonymous" while I am still blocking read access on 
job-level (you see the jenkins main page but you have to authenticate to see 
the jobs - otherwise you get an 404 error on direct URL call to a job)
Results: there is no redirect any more, but the problem in SoS is still there. 
Jub surveillance is not working any more, click on "configure Server(s)" - 
"Edit" brings up a empty Job-List
When I call <jenkins-url>/api/xml in my browser as anonymous user i get a vaild 
response, but there is no job information in the response - only global server 
info.
When I call <jenkins-url>/job/<jobname>/api/xml as anonymous user in my browser 
i get an 404 error as described above.
=> is it possible that you try to read the joblist (on "configure Server(s)") 
or the jobstatus on watched jobs without authentication?

next steps: I try to reproduce the problem without LDAP and role based strategy 
but with deactivated read access for anonymous user. I will report my results.

Original comment by BrainBug...@gmail.com on 30 Jul 2012 at 9:23

[GoogleCodeExporter]

new Test (as promised): I downloaded latest Jenkins Binary (windows), started 
locally and created a testjob.
When i configure SoS to the local server, I am able to connect to the server, 
add the testjob to surveillance and see the status of the job in SoS.

After that I opened jenkins configuration, clicked on "Enable security", 
configured it basically with the built-in-features "Jenkins's own user 
database", "allow users to sign up" and "matrix-based security" (no AD Plugins 
or anything else), added a user with all rights, disable read access to 
Anonymous and clicked on save. (screenshot attached)
Now you are redirected to loginpage. Create a new account with the username 
which you added before on configpage. => You are logged in.

Result: 
* you can only connect to jenkins after authentication (redirect to login page)
* your SoS is disconnected "Build server unavailable, attempting to reconnect"
* even when you add a valid username/password to your server config you cannot 
manage the server any more
* as soon as you add "Overall Read" and "Job Read" Access to Anonymous user, 
SoS starts working again

=> there must be a bug in how the credentials are stored ore passed through 
jenkins login

are you able to reproduce?

Original comment by BrainBug...@gmail.com on 30 Jul 2012 at 4:03

Attachments:

• jenkins_basic_security.jpg

[GoogleCodeExporter]

Awesome details Mr. BrainBug0815!  I think I know exactly what needs to be 
done.  Thank you so much for the time you spent researching.  I'll try to repro 
and get back to you.

Original comment by lpric...@gmail.com on 30 Jul 2012 at 4:32

[GoogleCodeExporter]

This issue was closed by revision af194711c4e0.

Original comment by lpric...@gmail.com on 17 Aug 2012 at 1:51

• Changed state: Fixed

[GoogleCodeExporter]

Hey Hannes, 

Thanks to your detailed repro steps I was able to reproduce and fix the 
authentication bug.  I'll get this pushed out as a 1.6.3 release shortly.  
Sorry for the delay incidentally, I was on vacation.

Original comment by lpric...@gmail.com on 17 Aug 2012 at 1:55

[GoogleCodeExporter]

Ok, the fix is in 1.6.4.  Please let me know how it works: 
http://code.google.com/p/siren-of-shame/downloads/detail?name=SirenOfShame-1.6-4
.msi

Original comment by lpric...@gmail.com on 24 Aug 2012 at 6:49

[GoogleCodeExporter]

Sorry for the late answer. I was also on vacation and had a lot to work off 
afterwards.

Yes, the bug is fixed. Thanks a lot!

Original comment by BrainBug...@gmail.com on 14 Sep 2012 at 9:20

[GoogleCodeExporter]

Yayy!! :)

Original comment by lpric...@gmail.com on 14 Sep 2012 at 2:05