Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18634

HudsonAuthenticationEntryPoint can break CLI support, because the port isn't exposed properly

    Details

    • Similar Issues:

      Description

      layout.jelly exposes a number of HTTP headers that the cli client uses:
      X-Hudson-CLI-Port
      X-Jenkins-CLI-Port
      X-Jenkins-CLI2-Port
      X-Jenkins-CLI-Host

      Because HudsonAuthenticationEntryPoint doesn't use that layout when it serves a 403, the necessary HTTP headers are missing. If the redirection is external (as is the case with the openid plugin), it breaks CLI support completely.

      I've implemented a potential fix here:
      https://github.com/jenkinsci/jenkins/pull/836

        Attachments

          Activity

          Hide
          lpetre Luke Petre added a comment -

          Updated pull request, from latest master:
          https://github.com/jenkinsci/jenkins/pull/850

          Show
          lpetre Luke Petre added a comment - Updated pull request, from latest master: https://github.com/jenkinsci/jenkins/pull/850
          Hide
          wilder_rodrigues Wilder Rodrigues added a comment -

          Hi guys,

          We have Jenkins Enterprise, running in 2 VMs and using Jenkins HA Monitor. We currently do a reverse proxy with Apache, and put the 2 Jenkins instances behind HTTPS.

          In addition, we are using today's patch for the CLI module (https://issues.jenkins-ci.org/browse/JENKINS-12629). So, the following works for me: java -jar jenkins-cli.jar -s https://jenkins.schubergphilis.com/ -noCertificateCheck --username wrodrigues --password-file passwd help

          However, after a certain amount of time, I get the following error:

          Exception in thread "main" java.io.IOException: No X-Jenkins-CLI2-Port among [null, Date, Vary, Content-Length, Via, Keep-Alive, Set-Cookie, Content-Type, Connection, Server, X-Powered-By]
          at hudson.cli.CLI.getCliTcpPort(CLI.java:287)
          at hudson.cli.CLI.<init>(CLI.java:134)
          at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72)
          at hudson.cli.CLI._main(CLI.java:469)
          at hudson.cli.CLI.main(CLI.java:384)

          Jenkins is configured and exposing the JNLP port... I already added a rule onto the Firewall.

          I saw on Github that there was a possible fix here: https://github.com/jenkinsci/jenkins/pull/850

          It has been merged by Kohsuke. So... is it coming around soon?

          Thanks in advance!

          Show
          wilder_rodrigues Wilder Rodrigues added a comment - Hi guys, We have Jenkins Enterprise, running in 2 VMs and using Jenkins HA Monitor. We currently do a reverse proxy with Apache, and put the 2 Jenkins instances behind HTTPS. In addition, we are using today's patch for the CLI module ( https://issues.jenkins-ci.org/browse/JENKINS-12629 ). So, the following works for me: java -jar jenkins-cli.jar -s https://jenkins.schubergphilis.com/ -noCertificateCheck --username wrodrigues --password-file passwd help However, after a certain amount of time, I get the following error: Exception in thread "main" java.io.IOException: No X-Jenkins-CLI2-Port among [null, Date, Vary, Content-Length, Via, Keep-Alive, Set-Cookie, Content-Type, Connection, Server, X-Powered-By] at hudson.cli.CLI.getCliTcpPort(CLI.java:287) at hudson.cli.CLI.<init>(CLI.java:134) at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72) at hudson.cli.CLI._main(CLI.java:469) at hudson.cli.CLI.main(CLI.java:384) Jenkins is configured and exposing the JNLP port... I already added a rule onto the Firewall. I saw on Github that there was a possible fix here: https://github.com/jenkinsci/jenkins/pull/850 It has been merged by Kohsuke. So... is it coming around soon? Thanks in advance!
          Show
          schristou Steven Christou added a comment - https://github.com/jenkinsci/jenkins/pull/850
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: christ66
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/3751edff338ad21029ccf406830fd8cfe54cbe6c
          Log:
          JENKINS-18634 Noting in changelog.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: christ66 Path: changelog.html http://jenkins-ci.org/commit/jenkins/3751edff338ad21029ccf406830fd8cfe54cbe6c Log: JENKINS-18634 Noting in changelog.
          Hide
          dogfood dogfood added a comment -

          Integrated in jenkins_main_trunk #2899
          JENKINS-18634 Noting in changelog. (Revision 3751edff338ad21029ccf406830fd8cfe54cbe6c)

          Result = UNSTABLE
          schristou88 : 3751edff338ad21029ccf406830fd8cfe54cbe6c
          Files :

          • changelog.html
          Show
          dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2899 JENKINS-18634 Noting in changelog. (Revision 3751edff338ad21029ccf406830fd8cfe54cbe6c) Result = UNSTABLE schristou88 : 3751edff338ad21029ccf406830fd8cfe54cbe6c Files : changelog.html
          Hide
          danielbeck Daniel Beck added a comment -

          Wilder Rodriguez: I think you're experiencing a different issue (but I haven't tested this PR). AFAICT there's a lock in the CLI setup code that doesn't get unlocked when Jenkins runs behind reverse proxy. Check /threadDump, there should be a 'Handling GET /cli' thread that doesn't continue. It'll wait until killed from the Monitoring plugin, or due to a Jenkins restart.

          The headers you get listed are Apache's HTTP 502 error page ("Error reading from proxy server") headers because it timeouts.

          Show
          danielbeck Daniel Beck added a comment - Wilder Rodriguez: I think you're experiencing a different issue (but I haven't tested this PR). AFAICT there's a lock in the CLI setup code that doesn't get unlocked when Jenkins runs behind reverse proxy. Check /threadDump, there should be a 'Handling GET /cli' thread that doesn't continue. It'll wait until killed from the Monitoring plugin, or due to a Jenkins restart. The headers you get listed are Apache's HTTP 502 error page ("Error reading from proxy server") headers because it timeouts.

            People

            • Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              lpetre Luke Petre
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: