Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32909

Reverse proxy auth plugin v1.5 gives NullPointerException

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Updating the reverse proxy auth plugin to v1.5 on Jenkins v1.647 (latest) results in a NullPointerException for unregistered users only. Reverting to plugin v1.4.0 (the version I updated from) gives me access again, but this is annoying for new installations.

      Stack trace

      java.lang.NullPointerException
      at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:435)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      at org.eclipse.jetty.server.Server.handle(Server.java:370)
      at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
      at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
      at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
      at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
      at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:745)

      Reverse proxy config

      auth_ldap_cache_enabled on;
      auth_ldap_cache_expiration_time 86400;
      auth_ldap_cache_size 1000;

      ldap_server ...

      { url "..."; require valid_user; satisfy any; }

      server {
      listen 443;
      server_name ...;

      gzip on;

      ssl on;
      ssl_certificate ...;
      ssl_certificate_key ...;
      ssl_session_timeout 60m;
      ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
      ssl_ciphers ECDH+AESCCM256:DH+AESCCM256:ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:DH+AES256:DH+AES256:ECDH+3DES:DH+3DES:RSA+AES256:RSDES:!ADH:!AECDH:!MD5:!DSS:!RC4:!RC2:!DES;
      ssl_prefer_server_ciphers on;

      auth_ldap_servers ...;
      auth_ldap "Restricted";

      location /jenkins/

      { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-User $remote_user; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_pass http://127.0.0.1:8080/jenkins/; }

      }

        Attachments

          Issue Links

            Activity

            Hide
            asmundo Asmund Ostvold added a comment -

            I compiled and install fc7b58063c40430313bec42956a988dac173e8fa. And this fixed this issue for my Jenkins install.

            Show
            asmundo Asmund Ostvold added a comment - I compiled and install fc7b58063c40430313bec42956a988dac173e8fa. And this fixed this issue for my Jenkins install.
            Hide
            jgreen Jeremy Green added a comment - - edited

            This issue is duplicated by JENKINS-33477. As it suggests, I was able to avoid this NPE (when using version 1.5 of plugin) by removing Authorization headers in my apache front end:

            RequestHeader unset Authorization
            

            That's a good thing to do anyway - jenkins has no need to see what are essentially clear-text passwords (basic auth only base64 encodes the password). (Since blocking this header is easy and a good thing to do, I've not checked whether apache is forwarding passwords - given the NPE and the use the word "bad" in JENKINS-33477's description, maybe it's not.)

            I'm not currently interested in API tokens, so haven't thought about them too much here. If you're using a reverse proxy, you'd probably just authenicate in the proxy anyway. They're only long basic auth passwords generated by jenkins, so external systems don't care where they are processed.

            The wiki pages that explain how to configure apache etc. should perhaps be updated to add removal of Authorization header:

            https://wiki.jenkins-ci.org/display/JENKINS/Reverse+Proxy+Auth+Plugin
            https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache

            Show
            jgreen Jeremy Green added a comment - - edited This issue is duplicated by JENKINS-33477 . As it suggests, I was able to avoid this NPE (when using version 1.5 of plugin) by removing Authorization headers in my apache front end: RequestHeader unset Authorization That's a good thing to do anyway - jenkins has no need to see what are essentially clear-text passwords (basic auth only base64 encodes the password). (Since blocking this header is easy and a good thing to do, I've not checked whether apache is forwarding passwords - given the NPE and the use the word "bad" in JENKINS-33477 's description , maybe it's not.) I'm not currently interested in API tokens, so haven't thought about them too much here. If you're using a reverse proxy, you'd probably just authenicate in the proxy anyway. They're only long basic auth passwords generated by jenkins, so external systems don't care where they are processed. The wiki pages that explain how to configure apache etc. should perhaps be updated to add removal of Authorization header: https://wiki.jenkins-ci.org/display/JENKINS/Reverse+Proxy+Auth+Plugin https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache
            Hide
            jbq jbq added a comment -

            Installing the snapshot version by hand fixes the problem. It would be nice to have a new release.

            Show
            jbq jbq added a comment - Installing the snapshot version by hand fixes the problem. It would be nice to have a new release.
            Hide
            chancez Chance Zibolski added a comment -

            Jesus, this has been fixed for multiple months, can someone just release 1.5.1 already? This is a critical security plugin that really needs more love.

            Show
            chancez Chance Zibolski added a comment - Jesus, this has been fixed for multiple months, can someone just release 1.5.1 already? This is a critical security plugin that really needs more love.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            It has been released in 1.6.0

            Show
            oleg_nenashev Oleg Nenashev added a comment - It has been released in 1.6.0

              People

              • Assignee:
                wilder_rodrigues Wilder Rodrigues
                Reporter:
                marcv81 Marc Venturini
              • Votes:
                8 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: