Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15437

ERR_CONTENT_DECODING_FAILED on Custom Views with Project-based Matrix Authorization

    Details

    • Similar Issues:

      Description

      I have Jenkins set up with Project-based Matrix Authorization Strategy and have several custom build views.

      If a user attempts to switch to a view that has 1 or more projects that they do not have access to, Chrome brings up an error page with Error 330 (net::ERR_CONTENT_DECODING_FAILED: Unknown Error. Firefox brings up an error page saying "Content Encoding Error".

      Expected behavior would be to show no error and only show projects that the user has access to.

        Attachments

          Activity

          Hide
          jacob_robertson Jacob Robertson added a comment -

          I cannot reproduce this. Can you give me some more exact steps. Also, are you using the view-job-filters plugin?

          Show
          jacob_robertson Jacob Robertson added a comment - I cannot reproduce this. Can you give me some more exact steps. Also, are you using the view-job-filters plugin?
          Hide
          glimberg Grant Limberg added a comment -

          My mistake. I think I miscategorized the component for this case. The issue I'm dealing with is in the normal dashboard views. I'm not using the view-job-filters plugin.

          Show
          glimberg Grant Limberg added a comment - My mistake. I think I miscategorized the component for this case. The issue I'm dealing with is in the normal dashboard views. I'm not using the view-job-filters plugin.
          Hide
          glimberg Grant Limberg added a comment -

          Just to add a bit more detail to the issue I'm running up against.

          I'm using Project-based Matrix Authorization Strategy with the Unix user/group database security realm. I have 3 groups of users. The access configuration can be seen here: http://i.imgur.com/YiIMr.png

          The jenkins-user group is given access to jobs on a job-by-job basis. An example job matrix auth strategy for a project the 'jenkins-user' group has access to can be seen here: http://i.imgur.com/UW1ZK.png.

          Now, if I add a view (any view but the All view) to Jenkins that contains a single project that doesn't have the "Job Read" access level checked for a member of the jenkins-user group, the jenkins-user group member gets the error as described above. If all jobs in a view have the "Job Read" acces level checked for the jenkins-user group, then all is fine and the view loads as expected.

          Show
          glimberg Grant Limberg added a comment - Just to add a bit more detail to the issue I'm running up against. I'm using Project-based Matrix Authorization Strategy with the Unix user/group database security realm. I have 3 groups of users. The access configuration can be seen here: http://i.imgur.com/YiIMr.png The jenkins-user group is given access to jobs on a job-by-job basis. An example job matrix auth strategy for a project the 'jenkins-user' group has access to can be seen here: http://i.imgur.com/UW1ZK.png . Now, if I add a view (any view but the All view) to Jenkins that contains a single project that doesn't have the "Job Read" access level checked for a member of the jenkins-user group, the jenkins-user group member gets the error as described above. If all jobs in a view have the "Job Read" acces level checked for the jenkins-user group, then all is fine and the view loads as expected.
          Hide
          glimberg Grant Limberg added a comment - - edited

          Here's the list of plugins I'm currently running as well.

          name version enabled pinned
          external-monitor-job 1.1 true true
          ldap 1.1 true false
          pam-auth 1.0 true false
          ant 1.1 true false
          javadoc 1.0 true false
          cvs 2.6 true true
          next-build-number 1.0 false false
          scp 1.8 false false
          jython 1.9 true false
          bugzilla 1.5 false false
          setenv 1.1 true false
          cmakebuilder 1.9 false false
          ftppublisher 1.2 true false
          locks-and-latches 0.6 false false
          python 1.2 true false
          chucknorris 0.4 true false
          subversion 1.43 true true
          parameterized-trigger 2.16 true false
          token-macro 1.5.1 true false
          maven-plugin 1.486 true true
          copyartifact 1.24 true false
          jira 1.35 false false
          perforce 1.3.17 true false
          analysis-core 1.48 true false
          s3 0.3.0-SNAPSHOT (private-04/19/2012 22:11-grant) true false
          email-ext 2.24.1 true false
          view-job-filters 1.22 true false
          publish-over-ssh 1.8 false false
          translation 1.9 true true
          shelve-project-plugin 1.3 false false
          virtualbox 0.6 true false
          cppcheck 1.10 true false
          warnings 4.18 true false
          jenkins-multijob-plugin 1.5 true false
          redmine 0.10 true false
          ssh-slaves 0.21 true true
          xcode-plugin 1.3.1 true false
          envinject 1.72 true false
          promoted-builds 2.7 true false
          scm-sync-configuration 0.0.6 false false
          greenballs 1.12 true false
          timestamper 1.3.2 true false
          clang-scanbuild-plugin 1.3.1 true false
          ci-game 1.19 true false
          Show
          glimberg Grant Limberg added a comment - - edited Here's the list of plugins I'm currently running as well. name version enabled pinned external-monitor-job 1.1 true true ldap 1.1 true false pam-auth 1.0 true false ant 1.1 true false javadoc 1.0 true false cvs 2.6 true true next-build-number 1.0 false false scp 1.8 false false jython 1.9 true false bugzilla 1.5 false false setenv 1.1 true false cmakebuilder 1.9 false false ftppublisher 1.2 true false locks-and-latches 0.6 false false python 1.2 true false chucknorris 0.4 true false subversion 1.43 true true parameterized-trigger 2.16 true false token-macro 1.5.1 true false maven-plugin 1.486 true true copyartifact 1.24 true false jira 1.35 false false perforce 1.3.17 true false analysis-core 1.48 true false s3 0.3.0-SNAPSHOT (private-04/19/2012 22:11-grant) true false email-ext 2.24.1 true false view-job-filters 1.22 true false publish-over-ssh 1.8 false false translation 1.9 true true shelve-project-plugin 1.3 false false virtualbox 0.6 true false cppcheck 1.10 true false warnings 4.18 true false jenkins-multijob-plugin 1.5 true false redmine 0.10 true false ssh-slaves 0.21 true true xcode-plugin 1.3.1 true false envinject 1.72 true false promoted-builds 2.7 true false scm-sync-configuration 0.0.6 false false greenballs 1.12 true false timestamper 1.3.2 true false clang-scanbuild-plugin 1.3.1 true false ci-game 1.19 true false
          Hide
          jraja joni r added a comment -

          I came across same issue while setting up Project-based Matrix Authorization Strategy -scheme. As a workaround I set job-read permission to all authenticated users at Jenkins level.

          Show
          jraja joni r added a comment - I came across same issue while setting up Project-based Matrix Authorization Strategy -scheme. As a workaround I set job-read permission to all authenticated users at Jenkins level.
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          Using wireshark, I see that the problem is because it's sending two sets of headers.

          GET /job/f/groups/newGroup HTTP/1.1
          Host: localhost:8080
          Connection: keep-alive
          Cache-Control: max-age=0
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
          User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22
          Accept-Encoding: gzip,deflate,sdch
          Accept-Language: en-US,en;q=0.8,ja;q=0.6
          Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
          Cookie: screenResolution=2560x1600; JSESSIONID.23b85107=8ea7deb23efb25dda41e3d0e12af2421; screenResolution=2560x1600; JSESSIONID.f93f7440=b6bc70d2d3f01b2ce13240ea6cd4da2f
          
          HTTP/1.1 403 Forbidden
          Server: Winstone Servlet Engine v0.9.10
          Content-Encoding: gzip
          Expires: 0
          Cache-Control: no-cache,must-revalidate
          X-Hudson-Theme: default
          Content-Type: text/html;charset=UTF-8
          X-Hudson: 1.395
          X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11)
          X-Jenkins-Session: a186bd6f
          X-Hudson-CLI-Port: 57208
          X-Jenkins-CLI-Port: 57208
          X-Jenkins-CLI2-Port: 57208
          X-SSH-Endpoint: localhost:55570
          X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB
          Content-Encoding: gzip
          Expires: 0
          Cache-Control: no-cache,must-revalidate
          X-Hudson-Theme: default
          X-Hudson: 1.395
          X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11)
          X-Jenkins-Session: a186bd6f
          X-Hudson-CLI-Port: 57208
          X-Jenkins-CLI-Port: 57208
          X-Jenkins-CLI2-Port: 57208
          X-SSH-Endpoint: localhost:55570
          X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB
          Content-Length: 2203
          Connection: Keep-Alive
          Date: Fri, 21 Jun 2013 21:12:10 GMT
          X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
          
          .... gzip encoded content follows ....
          

          The gzipped content itself appears OK, as I was able to gunzip it just fine. I think it is the fact that there are two Content-Encoding header that's breaking the browser.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - Using wireshark, I see that the problem is because it's sending two sets of headers. GET /job/f/groups/newGroup HTTP/1.1 Host: localhost:8080 Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,ja;q=0.6 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: screenResolution=2560x1600; JSESSIONID.23b85107=8ea7deb23efb25dda41e3d0e12af2421; screenResolution=2560x1600; JSESSIONID.f93f7440=b6bc70d2d3f01b2ce13240ea6cd4da2f HTTP/1.1 403 Forbidden Server: Winstone Servlet Engine v0.9.10 Content-Encoding: gzip Expires: 0 Cache-Control: no-cache,must-revalidate X-Hudson-Theme: default Content-Type: text/html;charset=UTF-8 X-Hudson: 1.395 X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11) X-Jenkins-Session: a186bd6f X-Hudson-CLI-Port: 57208 X-Jenkins-CLI-Port: 57208 X-Jenkins-CLI2-Port: 57208 X-SSH-Endpoint: localhost:55570 X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB Content-Encoding: gzip Expires: 0 Cache-Control: no-cache,must-revalidate X-Hudson-Theme: default X-Hudson: 1.395 X-Jenkins: 1.509.1.1-SNAPSHOT (Jenkins Enterprise by CloudBees 12.11) X-Jenkins-Session: a186bd6f X-Hudson-CLI-Port: 57208 X-Jenkins-CLI-Port: 57208 X-Jenkins-CLI2-Port: 57208 X-SSH-Endpoint: localhost:55570 X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnax9jJCeLEPg+yo3IgtSWGaaIxNFgBySsS96Rs91ra2HPjqNBODcgMSLhc0iJEV48XSJvi4XbFw8rZifMYih+5TgqBxYbcaWBMyrGcj3bYve3CaJKnmKOa9OYTQbaP6smL04ao7VlH6HjKrX9yqSKzfUfEmB5tJLTZyg/iqRgOizubNTyR9vFmtiGSivTeramK4AmIZB4zZ4DaylR6vY6FOjf9XIg/s2hpvxat/Jr2IuB+7fvUILP5E/t/Lwqs/MhFml33vUuAIqSk9B+QyJ4mGT14TRry1vMQvsn2RaYBB4m8DVbWpIccQLzBlaTw+1l3knh/VvGBguoCjx4KFGgwIDAQAB Content-Length: 2203 Connection: Keep-Alive Date: Fri, 21 Jun 2013 21:12:10 GMT X-Powered-By: Servlet/2.5 (Winstone/0.9.10) .... gzip encoded content follows .... The gzipped content itself appears OK, as I was able to gunzip it just fine. I think it is the fact that there are two Content-Encoding header that's breaking the browser.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          core/pom.xml
          core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
          core/src/main/resources/lib/layout/layout.jelly
          http://jenkins-ci.org/commit/jenkins/d3575548bbd39acdbc0f73533f9078d59828b428
          Log:
          [FIXED JENKINS-15437]

          The exception handler ended up adding almost all the headers again,
          resulting in a lot of duplicate headers.

          Most critically, stapler was adding "Content-Encoding" header twice,
          breaking browsers.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/pom.xml core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java core/src/main/resources/lib/layout/layout.jelly http://jenkins-ci.org/commit/jenkins/d3575548bbd39acdbc0f73533f9078d59828b428 Log: [FIXED JENKINS-15437] The exception handler ended up adding almost all the headers again, resulting in a lot of duplicate headers. Most critically, stapler was adding "Content-Encoding" header twice, breaking browsers.
          Hide
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #2655
          [FIXED JENKINS-15437] (Revision d3575548bbd39acdbc0f73533f9078d59828b428)

          Result = SUCCESS
          kohsuke : d3575548bbd39acdbc0f73533f9078d59828b428
          Files :

          • changelog.html
          • core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
          • core/src/main/resources/lib/layout/layout.jelly
          • core/pom.xml
          Show
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2655 [FIXED JENKINS-15437] (Revision d3575548bbd39acdbc0f73533f9078d59828b428) Result = SUCCESS kohsuke : d3575548bbd39acdbc0f73533f9078d59828b428 Files : changelog.html core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java core/src/main/resources/lib/layout/layout.jelly core/pom.xml
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java
          core/src/main/resources/lib/layout/layout.jelly
          http://jenkins-ci.org/commit/jenkins/af59db06f0eba2674fc8338d3ba18335541eae32
          Log:
          [FIXED JENKINS-15437]

          The exception handler ended up adding almost all the headers again,
          resulting in a lot of duplicate headers.

          Most critically, stapler was adding "Content-Encoding" header twice,
          breaking browsers.

          (cherry picked from commit d3575548bbd39acdbc0f73533f9078d59828b428)

          Conflicts:
          changelog.html
          core/pom.xml

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/hudson/security/AccessDeniedHandlerImpl.java core/src/main/resources/lib/layout/layout.jelly http://jenkins-ci.org/commit/jenkins/af59db06f0eba2674fc8338d3ba18335541eae32 Log: [FIXED JENKINS-15437] The exception handler ended up adding almost all the headers again, resulting in a lot of duplicate headers. Most critically, stapler was adding "Content-Encoding" header twice, breaking browsers. (cherry picked from commit d3575548bbd39acdbc0f73533f9078d59828b428) Conflicts: changelog.html core/pom.xml

            People

            • Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              glimberg Grant Limberg
            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: