Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49274

Reverse proxy auth is not authenticating users

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      After configuring the reverse-proxy-auth-plugin, users are not authenticated in Jenkins.

      it appears that ReverseProxySecurityRealm is correctly identifying the user from the following logs:

      PM FINE org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm
      USER LOGGED IN: tad@simple.com
      

      However, DefaultReverseProxyAuthenticator does not appear to receive the username:

      PM INFO org.jenkinsci.plugins.reverse_proxy_auth.auth.DefaultReverseProxyAuthenticator authenticate
      DefaultReverseProxyAuthenticator::authenticate ==> null to [Lorg.acegisecurity.GrantedAuthority;@6d8c3052
      

      We are not using LDAP authentication.

      Here is the relevant section of config.xml:

        <securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.6.2">
          <proxyTemplate/>
          <inhibitInferRootDN>false</inhibitInferRootDN>
          <userSearchBase></userSearchBase>
          <userSearch>uid={0}</userSearch>
          <updateInterval>15</updateInterval>
          <forwardedUser>X-Simple-Internal-User</forwardedUser>
          <retrievedUser>vanvlack@simple.com</retrievedUser>
          <headerGroups></headerGroups>
          <headerGroupsDelimiter>|</headerGroupsDelimiter>
          <disableLdapEmailResolver>true</disableLdapEmailResolver>
          <displayNameLdapAttribute></displayNameLdapAttribute>
          <emailAddressLdapAttribute></emailAddressLdapAttribute>
        </securityRealm>
      

      What's interesting is the persistence of "retrievedUser", which might mean a leak of transient state.

      Attached is a sanitized dump of /whoAmI.

        Attachments

          Activity

          Hide
          llg Laurent Le Grandois added a comment -

          Hi Krasimir, 

           it works !! 

          Config for Apache is :

            <Location /jenkins> 
                RequestHeader set Authorization "" 
             </Location>

          Thanks

          Show
          llg Laurent Le Grandois added a comment - Hi Krasimir,   it works !!  Config for Apache is :   <Location /jenkins>      RequestHeader set Authorization ""   </Location> Thanks
          Hide
          kjpopovbg Krasimir Popov added a comment -

          Glad to hear that.

          Cheers...

          Show
          kjpopovbg Krasimir Popov added a comment - Glad to hear that. Cheers...
          Hide
          chancez Chance Zibolski added a comment -

          I think I am also hitting this. I can auth as my user, but my swarm agents aren't able to get through. The proxy is authenticating them successfully, and should be forwarding the user via the X-Forwarded-For header which is how I've configured jenkins, but the agents just are stuck 401ing the whole time against the /plugin/swarm/slaveInfo url.

          Show
          chancez Chance Zibolski added a comment - I think I am also hitting this. I can auth as my user, but my swarm agents aren't able to get through. The proxy is authenticating them successfully, and should be forwarding the user via the X-Forwarded-For header which is how I've configured jenkins, but the agents just are stuck 401ing the whole time against the /plugin/swarm/slaveInfo url.
          Hide
          kjpopovbg Krasimir Popov added a comment -

          What kind of webserver you use to proxy the requests. You need to ensure that all other unnecessary authentication headers are removed (Not proxied to jenkins jetty server). In the case of swarm it is basic auth and the header that you have to remove is Authorization.

          For nginx
          proxy_set_header    Authorization "";
          For Apache
            <Location /jenkins>
               RequestHeader set Authorization ""
            </Location>
           

          I believe that this is more feature rather then a bug, jenkins security is improved and now there is better order of security layers. If Authorization header is present then jenkins follows to that and you will get 401. Your X-Forwarded-For header is ignored in that case.

          Show
          kjpopovbg Krasimir Popov added a comment - What kind of webserver you use to proxy the requests. You need to ensure that all other unnecessary authentication headers are removed (Not proxied to jenkins jetty server). In the case of swarm it is basic auth and the header that you have to remove is Authorization. For nginx proxy_set_header    Authorization ""; For Apache   <Location /jenkins>      RequestHeader set Authorization ""   </Location>   I believe that this is more feature rather then a bug, jenkins security is improved and now there is better order of security layers. If Authorization header is present then jenkins follows to that and you will get 401. Your X-Forwarded-For header is ignored in that case.
          Hide
          roadrunner2 roadrunner2 added a comment -

          For Apache I think the more proper setting is:

          <Location /jenkins>
              RequestHeader unset Authorization
          </Location>
          

          (verified this fixes the issues for me too)

           

          Show
          roadrunner2 roadrunner2 added a comment - For Apache I think the more proper setting is: <Location /jenkins> RequestHeader unset Authorization </Location> (verified this fixes the issues for me too)  

            People

            • Assignee:
              tad Tad Fisher
              Reporter:
              tad Tad Fisher
            • Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: