Jetty 403 for GET based requests

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Jetty 403 for GET based requests

greenwayb

I have configure hudson (1.8.4) to run inside jetty 6.1.1 and can login to access the relevant extended functionality.

 

However any pages that result in get request, result in a 403.  This could be performing functions such as deleting a job or viewing the configuration of a job

 

Ie looking at I jobs configuration I can get something like this:

 

Source Code Management

 None 

 

 CVS 

  CVSROOT  

 CVSROOT is mandatory

 Loading... 

  Module(s)  

 

 Loading... 

  Branch  

 

 Loading... 

  CVS_RSH  

 

 Loading... 

  Use update  

 

 Loading... 

  Legacy mode  (run CVS in a way compatible with older versions of Hudson <1.21)  

 

 Loading... 

 

 Subversion 

  Modules 

 HTTP ERROR: 403

FORBIDDEN

RequestURI=/hudson/scm/SubversionSCM/authenticationCheck

 

Powered by Jetty://

 

 

I have tried modifiying the web.xml to add and or remove the <http-method>get</http-method> to the <security-constraint> but its doenst seem to make any difference.

 

Any ideas?

 

Thanks

 

Ben

Reply | Threaded
Open this post in threaded view
|

RE: Jetty 403 for GET based requests

greenwayb

Jetty disables GETS by defaults, have been able to resolve it other than using this block, which now forces total login before its useable.  Ie have to enter a username (admin role) which now means I don’t have a “public” view, but at least I can now post requests and reconfigure it!

 

<security-constraint>

    <web-resource-collection>

      <!-- <web-resource-name>hudson</web-resource-name> -->

      <url-pattern>/loginEntry</url-pattern>

      <url-pattern>/</url-pattern>

      <http-method>GET</http-method>

      <http-method>POST</http-method>

      <http-method>HEAD</http-method>

    </web-resource-collection>

    <auth-constraint>

      <role-name>admin</role-name>

    </auth-constraint>

  </security-constraint>

 

 

 


From: Ben Greenway [mailto:[hidden email]]
Sent: 09 March 2007 09:45
To: [hidden email]
Subject: Jetty 403 for GET based requests

 

I have configure hudson (1.8.4) to run inside jetty 6.1.1 and can login to access the relevant extended functionality.

 

However any pages that result in get request, result in a 403.  This could be performing functions such as deleting a job or viewing the configuration of a job

 

Ie looking at I jobs configuration I can get something like this:

 

Source Code Management

 None 

 

 CVS 

  CVSROOT  

 CVSROOT is mandatory

 Loading... 

  Module(s)  

 

 Loading... 

  Branch  

 

 Loading... 

  CVS_RSH  

 

 Loading... 

  Use update  

 

 Loading... 

  Legacy mode  (run CVS in a way compatible with older versions of Hudson <1.21)  

 

 Loading... 

 

 Subversion 

  Modules 

 HTTP ERROR: 403

FORBIDDEN

RequestURI=/hudson/scm/SubversionSCM/authenticationCheck

 

Powered by Jetty://

 

 

I have tried modifiying the web.xml to add and or remove the <http-method>get</http-method> to the <security-constraint> but its doenst seem to make any difference.

 

Any ideas?

 

Thanks

 

Ben

Reply | Threaded
Open this post in threaded view
|

Re: Jetty 403 for GET based requests

Kohsuke Kawaguchi-2

I'm not quite following the problem you are having.

I take it that you enabled the security, and then after that you start
seeing a bunch of 403 unless you login? (Is that what you mean when you
say you don't have a public view? --- that is, guests get so many 403s
that the UI is useless?)

But it also sounded like you are not getting 403s for everything. The
configuration page itself seems to be loading (which is probably a bug
--- the config page should be protected), and it's just additional AJAX
calls done from the config page that's failing. And guests are not
supposed to see the config link anyway.

So of pages that guests are supposed to visit, what kind of 403s do you get?


Ben Greenway wrote:

> Jetty disables GETS by defaults, have been able to resolve it other than
> using this block, which now forces total login before its useable.  Ie have
> to enter a username (admin role) which now means I don't have a "public"
> view, but at least I can now post requests and reconfigure it!
>
>  
>
> <security-constraint>
>
>     <web-resource-collection>
>
>       <!-- <web-resource-name>hudson</web-resource-name> -->
>
>       <url-pattern>/loginEntry</url-pattern>
>
>       <url-pattern>/</url-pattern>
>
>       <http-method>GET</http-method>
>
>       <http-method>POST</http-method>
>
>       <http-method>HEAD</http-method>
>
>     </web-resource-collection>
>
>     <auth-constraint>
>
>       <role-name>admin</role-name>
>
>     </auth-constraint>
>
>   </security-constraint>
>
>  
>
>  
>
>  
>
>   _____  
>
> From: Ben Greenway [mailto:[hidden email]]
> Sent: 09 March 2007 09:45
> To: [hidden email]
> Subject: Jetty 403 for GET based requests
>
>  
>
> I have configure hudson (1.8.4) to run inside jetty 6.1.1 and can login to
> access the relevant extended functionality.
>
>  
>
> However any pages that result in get request, result in a 403.  This could
> be performing functions such as deleting a job or viewing the configuration
> of a job
>
>  
>
> Ie looking at I jobs configuration I can get something like this:
>
>  
>
> Source Code Management
>
>  None  
>
>  
>
>  CVS  
>
>   CVSROOT  
>
>  CVSROOT is mandatory
>
>  Loading...  
>
>   Module(s)  
>
>  
>
>  Loading...  
>
>   Branch  
>
>  
>
>  Loading...  
>
>   CVS_RSH  
>
>  
>
>  Loading...  
>
>   Use update  
>
>  
>
>  Loading...  
>
>   Legacy mode  (run CVS in a way compatible with older versions of Hudson
> <1.21)  
>
>  
>
>  Loading...  
>
>  
>
>  Subversion  
>
>   Modules  
>
>  HTTP ERROR: 403
>
> FORBIDDEN
>
> RequestURI=/hudson/scm/SubversionSCM/authenticationCheck
>
>  
>
> Powered by Jetty://
>
>  
>
>  
>
> I have tried modifiying the web.xml to add and or remove the
> <http-method>get</http-method> to the <security-constraint> but its doenst
> seem to make any difference.
>
>  
>
> Any ideas?
>
>  
>
> Thanks
>
>  
>
> Ben
>
>

--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Jetty 403 for GET based requests

greenwayb
Yes I clicked enable security, which then means I had to modify the web.xml
and some jetty settings to be able to log in.

I logged in ok and thought all was well.

However any pages that attempted to collect information from elsewhere,
resulted in parital 403s appearing.

It was also the case that attempting to delete a project had a similar error
once the confirm button was pressed.

The only thing I could do was to extend my security constraints to which
then meant that more items were blocked off, so that anyone hitting hudson
would be forced to do a form login.  On the plus side once you are then
logged in it everything works correctly.

Thanks

Ben


-----Original Message-----
From: Kohsuke Kawaguchi [mailto:[hidden email]]
Sent: 09 March 2007 15:31
To: [hidden email]
Subject: Re: Jetty 403 for GET based requests


I'm not quite following the problem you are having.

I take it that you enabled the security, and then after that you start
seeing a bunch of 403 unless you login? (Is that what you mean when you
say you don't have a public view? --- that is, guests get so many 403s
that the UI is useless?)

But it also sounded like you are not getting 403s for everything. The
configuration page itself seems to be loading (which is probably a bug
--- the config page should be protected), and it's just additional AJAX
calls done from the config page that's failing. And guests are not
supposed to see the config link anyway.

So of pages that guests are supposed to visit, what kind of 403s do you get?


Ben Greenway wrote:
> Jetty disables GETS by defaults, have been able to resolve it other than
> using this block, which now forces total login before its useable.  Ie
have

> to enter a username (admin role) which now means I don't have a "public"
> view, but at least I can now post requests and reconfigure it!
>
>  
>
> <security-constraint>
>
>     <web-resource-collection>
>
>       <!-- <web-resource-name>hudson</web-resource-name> -->
>
>       <url-pattern>/loginEntry</url-pattern>
>
>       <url-pattern>/</url-pattern>
>
>       <http-method>GET</http-method>
>
>       <http-method>POST</http-method>
>
>       <http-method>HEAD</http-method>
>
>     </web-resource-collection>
>
>     <auth-constraint>
>
>       <role-name>admin</role-name>
>
>     </auth-constraint>
>
>   </security-constraint>
>
>  
>
>  
>
>  
>
>   _____  
>
> From: Ben Greenway [mailto:[hidden email]]
> Sent: 09 March 2007 09:45
> To: [hidden email]
> Subject: Jetty 403 for GET based requests
>
>  
>
> I have configure hudson (1.8.4) to run inside jetty 6.1.1 and can login to
> access the relevant extended functionality.
>
>  
>
> However any pages that result in get request, result in a 403.  This could
> be performing functions such as deleting a job or viewing the
configuration

> of a job
>
>  
>
> Ie looking at I jobs configuration I can get something like this:
>
>  
>
> Source Code Management
>
>  None  
>
>  
>
>  CVS  
>
>   CVSROOT  
>
>  CVSROOT is mandatory
>
>  Loading...  
>
>   Module(s)  
>
>  
>
>  Loading...  
>
>   Branch  
>
>  
>
>  Loading...  
>
>   CVS_RSH  
>
>  
>
>  Loading...  
>
>   Use update  
>
>  
>
>  Loading...  
>
>   Legacy mode  (run CVS in a way compatible with older versions of Hudson
> <1.21)  
>
>  
>
>  Loading...  
>
>  
>
>  Subversion  
>
>   Modules  
>
>  HTTP ERROR: 403
>
> FORBIDDEN
>
> RequestURI=/hudson/scm/SubversionSCM/authenticationCheck
>
>  
>
> Powered by Jetty://
>
>  
>
>  
>
> I have tried modifiying the web.xml to add and or remove the
> <http-method>get</http-method> to the <security-constraint> but its doenst
> seem to make any difference.
>
>  
>
> Any ideas?
>
>  
>
> Thanks
>
>  
>
> Ben
>
>


--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]