Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33477

NPE when bad Basic Auth header is supplied

    Details

    • Similar Issues:

      Description

      We're running Jenkins behind an instance of bitly's oauth2_proxy, to control access using Google accounts. We recently updated to a newer version, and as soon as security was enabled we got an NPE from the plugin:

      {{java.lang.NullPointerException
      at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:435)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      ...}}

      Looking at the code, it became clear that the proxy was sending a basic auth header, as well as the X-Forwarded ones, which caused the error after looking up a non-existent user.

      I'm reporting this as a bug because of the NPE, but I don't really know what the "correct" behaviour should be. Obviously, from my perspective, I'd prefer the duff header to be ignored, and the other headers used. But I can accept the viewpoint that if the header is sent, and invalid, it is treated as an unauthorised request.

      Please let me know if you need any more info.

        Attachments

          Issue Links

            Activity

            Hide
            jgreen Jeremy Green added a comment -

            JENKINS-32909 has a merged, unreleased pull request that alters behaviour in this area.

            Show
            jgreen Jeremy Green added a comment - JENKINS-32909 has a merged, unreleased pull request that alters behaviour in this area.
            Hide
            grahamrhay Graham Hay added a comment -

            Yep, that should fix it! Any idea what version that will ship in?

            Show
            grahamrhay Graham Hay added a comment - Yep, that should fix it! Any idea what version that will ship in?
            Hide
            jgreen Jeremy Green added a comment -

            I don't know - I'm only here since I have this bug too.

            Show
            jgreen Jeremy Green added a comment - I don't know - I'm only here since I have this bug too.
            Hide
            grahamrhay Graham Hay added a comment -

            I patched our auth proxy to send the right headers. That change will remove the NPE, but I have no idea if it will actually solve my problem.

            Show
            grahamrhay Graham Hay added a comment - I patched our auth proxy to send the right headers. That change will remove the NPE, but I have no idea if it will actually solve my problem.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Should be fixed in 1.6.0 by JENKINS-32909

            Show
            oleg_nenashev Oleg Nenashev added a comment - Should be fixed in 1.6.0 by JENKINS-32909

              People

              • Assignee:
                Unassigned
                Reporter:
                grahamrhay Graham Hay
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: