Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27598

Jenkins shows AccessDeniedException2 if anonymous users are denied read access

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Incomplete
    • Component/s: core
    • Environment:
      Jenkins v. 1.606, RHEL Server v. 6.6, Java v. 1.7.0
    • Similar Issues:

      Description

      Upon attempting to set matrix-based security with Jenkins' own user database, where the two existing user accounts were given permission to do anything, the Authenticated group had overall read and job read, and anonymous users had no permissions, the following error occurred:

      hudson.security.AccessDeniedException2: anonymous is missing the Overall/Read permission
      at hudson.security.ACL.checkPermission(ACL.java:59)
      at hudson.model.Node.checkPermission(Node.java:435)
      at jenkins.model.Jenkins.getTarget(Jenkins.java:3824)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:674)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
      at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
      at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:123)
      at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:114)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:168)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      at org.eclipse.jetty.server.Server.handle(Server.java:370)
      at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
      at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
      at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
      at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
      at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1157)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:627)
      at java.lang.Thread.run(Thread.java:863)

      This seems to be the same issue as 19010, but the given fix is merely to give anonymous users read access. The fact that anonymous users must have read access seems to be a bug in and of itself.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Nothing crashed. It's an error message.

          Please explain in detail what you did, and what page you tried to access. Where is that message displayed?

          Show
          danielbeck Daniel Beck added a comment - Nothing crashed. It's an error message. Please explain in detail what you did, and what page you tried to access. Where is that message displayed?
          Hide
          nchrien Natalie Chrien added a comment -

          The message appeared as soon as I applied the changes in the Configure Global Security page and persisted on every page I attempted to access, even after stopping and restarting the Jenkins daemon. I was only able to regain access to Jenkins by disabling security entirely and starting again. Maybe not technically a crash, but it was a similarly complete loss of functionality.

          Show
          nchrien Natalie Chrien added a comment - The message appeared as soon as I applied the changes in the Configure Global Security page and persisted on every page I attempted to access, even after stopping and restarting the Jenkins daemon. I was only able to regain access to Jenkins by disabling security entirely and starting again. Maybe not technically a crash, but it was a similarly complete loss of functionality.
          Hide
          danielbeck Daniel Beck added a comment -

          What is shown on the page at the URL /whoAmI ?

          Show
          danielbeck Daniel Beck added a comment - What is shown on the page at the URL /whoAmI ?
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Closing as incomplete since there was no response.
          Feel free to reopen it

          Show
          oleg_nenashev Oleg Nenashev added a comment - Closing as incomplete since there was no response. Feel free to reopen it

            People

            • Assignee:
              Unassigned
              Reporter:
              nchrien Natalie Chrien
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: