-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Component/s: reverse-proxy-auth-plugin
-
Labels:None
-
Environment:Jenkins 2.90
reverse-proxy-auth-plugin 1.6.2
-
Similar Issues:
After configuring the reverse-proxy-auth-plugin, users are not authenticated in Jenkins.
it appears that ReverseProxySecurityRealm is correctly identifying the user from the following logs:
PM FINE org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm USER LOGGED IN: tad@simple.com
However, DefaultReverseProxyAuthenticator does not appear to receive the username:
PM INFO org.jenkinsci.plugins.reverse_proxy_auth.auth.DefaultReverseProxyAuthenticator authenticate DefaultReverseProxyAuthenticator::authenticate ==> null to [Lorg.acegisecurity.GrantedAuthority;@6d8c3052
We are not using LDAP authentication.
Here is the relevant section of config.xml:
<securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.6.2"> <proxyTemplate/> <inhibitInferRootDN>false</inhibitInferRootDN> <userSearchBase></userSearchBase> <userSearch>uid={0}</userSearch> <updateInterval>15</updateInterval> <forwardedUser>X-Simple-Internal-User</forwardedUser> <retrievedUser>vanvlack@simple.com</retrievedUser> <headerGroups></headerGroups> <headerGroupsDelimiter>|</headerGroupsDelimiter> <disableLdapEmailResolver>true</disableLdapEmailResolver> <displayNameLdapAttribute></displayNameLdapAttribute> <emailAddressLdapAttribute></emailAddressLdapAttribute> </securityRealm>
What's interesting is the persistence of "retrievedUser", which might mean a leak of transient state.
Attached is a sanitized dump of /whoAmI.
Tad Fisher AFAICT it's still a follow-up to the original fix in
JENKINS-49236.the authenticator does not get the context correctly. Although we fixed NPEs in such case, a main objective would be to debug the plugin and to understand why it fails in such way. Would you be able to debug it on your instance?
CC Wadeck Follonier