[Issue 1235] New - 403 Error for legitimate users on Tomcat

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Issue 1235] New - 403 Error for legitimate users on Tomcat

deryl
https://hudson.dev.java.net/issues/show_bug.cgi?id=1235
                 Issue #|1235
                 Summary|403 Error for legitimate users on Tomcat
               Component|hudson
                 Version|current
                Platform|All
              OS/Version|Linux
                     URL|
                  Status|NEW
       Status whiteboard|
                Keywords|
              Resolution|
              Issue type|DEFECT
                Priority|P1
            Subcomponent|security
             Assigned to|issues@hudson
             Reported by|deryl






------- Additional comments from [hidden email] Tue Jan 29 15:15:14 +0000 2008 -------
I am using the container managed security option with Hudson, and if a user does
not have the role of 'admin', they get a 403 error when logging in.  My
tomcat-user.xml file is as follows:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="build"/>
  <role rolename="admin"/>
  <user username="User2" password="xxxx" roles="build"/>
  <user username="User1" password="yyyy" roles="admin"/>
</tomcat-users>

Additionally, I added these two roles as groups in the Hudson configuration
screen, with different permissions for each group; the names of the groups in
Hudson match the names of the roles in the tomcat-users.xml file.

User1 can log in without any trouble, but when User2 logs in, they get a 403
error.  If they type in the main home page URL manually, they can get to the
screens they are allowed to see, and permissions seem to be working correctly.

My hudson config.xml file is as follows (note that I have obfuscated my secret
key to be extra careful):

<?xml version='1.0' encoding='UTF-8'?>
<hudson>
  <numExecutors>1</numExecutors>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
    <permission>hudson.model.Item.Build:build</permission>
    <permission>hudson.model.Item.Build:admin</permission>
    <permission>hudson.model.View.Create:admin</permission>
    <permission>hudson.model.View.Configure:admin</permission>
    <permission>hudson.model.Hudson.Read:build</permission>
    <permission>hudson.model.Hudson.Read:admin</permission>
    <permission>hudson.model.Item.Configure:admin</permission>
    <permission>hudson.model.View.Delete:admin</permission>
    <permission>hudson.model.Item.Create:admin</permission>
    <permission>hudson.model.Item.Delete:admin</permission>
    <permission>hudson.model.Run.Update:build</permission>
    <permission>hudson.model.Run.Update:admin</permission>
    <permission>hudson.model.Run.Delete:build</permission>
    <permission>hudson.model.Run.Delete:admin</permission>
    <permission>hudson.model.Hudson.Administer:admin</permission>
  </authorizationStrategy>
  <securityRealm class="hudson.security.LegacySecurityRealm"/>
  <jdks>
    <jdk>
      <name>JDK 1.5</name>
      <javaHome>/usr/java/jdk1.5.0_11/</javaHome>
    </jdk>
  </jdks>
  <slaves/>
  <quietPeriod>5</quietPeriod>
  <views/>
  <slaveAgentPort>0</slaveAgentPort>
  <secretKey>blahblahblah</secretKey>
</hudson>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Issue 1235] 403 Error for legitimate users on Tomcat

kohsuke-djn
https://hudson.dev.java.net/issues/show_bug.cgi?id=1235



User kohsuke changed the following:

                What    |Old value                 |New value
================================================================================
                  Status|NEW                       |RESOLVED
--------------------------------------------------------------------------------
              Resolution|                          |FIXED
--------------------------------------------------------------------------------




------- Additional comments from [hidden email] Thu Jan 31 08:52:41 +0000 2008 -------
I believe this is already fixed in 1.166. See the changelog and
http://www.nabble.com/Matrix-authorization-problem-tt14602081.html

If you still see this problem, please reopen the issue.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Issue 1235] 403 Error for legitimate users on Tomcat

deryl
In reply to this post by deryl
https://hudson.dev.java.net/issues/show_bug.cgi?id=1235



User deryl changed the following:

                What    |Old value                 |New value
================================================================================
                  Status|RESOLVED                  |REOPENED
--------------------------------------------------------------------------------
              Resolution|FIXED                     |
--------------------------------------------------------------------------------




------- Additional comments from [hidden email] Thu Jan 31 12:12:52 +0000 2008 -------
I am using 1.175 and it's still an issue -- it's been an issue ever since I
started trying to use the new security features.  Per several comments in the
thread, the only role that works for logging in is 'admin'.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Issue 1235] 403 Error for legitimate users on Tomcat

lkishalmi-2
In reply to this post by deryl
https://hudson.dev.java.net/issues/show_bug.cgi?id=1235






------- Additional comments from [hidden email] Mon Jun 15 15:26:09 +0000 2009 -------
Well that happens as the first loging request happens in the container which
respects the web.xml security entry which require all hudson users to be in
"admin" role.

It would be much nicer if the web.xml of hudson would request for an "user",
"users" or "hudson" role. So the container authenticator realm shall be prepared
for it.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Issue 1235] 403 Error for legitimate users on Tomcat

scm_issue_link
In reply to this post by deryl
https://hudson.dev.java.net/issues/show_bug.cgi?id=1235



User scm_issue_link changed the following:

                What    |Old value                 |New value
================================================================================
                  Status|REOPENED                  |RESOLVED
--------------------------------------------------------------------------------
              Resolution|                          |FIXED
--------------------------------------------------------------------------------




------- Additional comments from [hidden email] Thu Jul  9 18:21:15 +0000 2009 -------
Code changed in hudson
User: : kohsuke
Path:
 trunk/hudson/main/war/resources/WEB-INF/web.xml
 trunk/www/changelog.html
http://fisheye4.cenqua.com/changelog/hudson/?cs=19561
Log:
[FIXED HUDSON-1235] Addd in 1.316.
While this is not a general fix, it should improve the pain.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]