I have recently set up a new Jenkins instance with active directory for access control (Active Directory plugin 1.47 used). For testing authentication, I have added my AD user with overall administer permission and left Anonymous without any permission - that is there are only two entries in the project-based authorization matrix.

WIth this configuration, I can log in just fine. Then I asked another AD user to log in, and what they get is an error 500 with the attached exception regarding response header overflow. I've attempted to increase the response header size by setting the jetty.httpConfig.responseHeaderSize system property to 32768 (4 x default 8K) but user still gets error 500 with the same exception. I've not done any debugging so I do not know what value is causing the buffer overflow.

I then realize that there is effectively no permission set for the authenticated user, so I added the authenticated group w/ the overall read permission. After that, the other users were able to log in correctly.

Instead of a buffer overflow, I would think that Jenkins should assume no permission assigned to the authenticated user and thus return a 403 error denying permission. As such I believe that this is a bug that should be addressed. IMO this might not be an issue with the AD plugin but rather with general Jenkins security.