Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-57154

Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: github-oauth-plugin
    • Labels:
      None
    • Environment:
      OS: Ubuntu 18.04.2 - 64 bit
      Java: openjdk version "1.8.0_191"
      github-oauth-plugin: 0.32
      Jenkins: 2.164.2
    • Similar Issues:
    • Released As:
      github-oauth-0.33

      Description

      After upgrading to github-oauth-plugin 0.32 I started to see this error in /configureSecurity when it tries to retrieve the name of a github user:

      HTTP ERROR 403
      Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName.
      Reason:    Forbidden
      

       

      The first user has its name retrieved successfully but all others have the error mentioned above.

       

      See the attachment users.png.

       

      The workaround for now is revert to 0.31.

        Attachments

          Issue Links

            Activity

            Hide
            ionutbalutoiu Ionut Balutoiu added a comment -

            This issue affects me as well.

            Considering that version 0.31 is affected by a CSRF vulnerability (https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443), do you guys have any ETA for fixing this, so we can update to 0.32 as soon as possible ?

            Without any workaround for this issue, it's hard to maintain a Matrix-based security authorization using 0.32, since you'll get error 403 for every user present there.

             

            Thank-you,

            Ionut

            Show
            ionutbalutoiu Ionut Balutoiu added a comment - This issue affects me as well. Considering that version  0.31 is affected by a CSRF vulnerability ( https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443 ), do you guys have any ETA for fixing this, so we can update to  0.32 as soon as possible ? Without any workaround for this issue, it's hard to maintain a Matrix-based security authorization using 0.32 , since you'll get error 403 for every user present there.   Thank-you, Ionut
            Hide
            lucasocio Leandro Lucarella added a comment -

            Also affected, same description, first user is retrieved correctly, all the following are errors, and any attempt to save the configuration for the security page ends in a "No valid crumb was included in the request" 403 error.

             

            Ddowngrading to version 0.31 fixed it for me too, but then I'm exposed to the CSRF vulnerability

            Show
            lucasocio Leandro Lucarella added a comment - Also affected, same description, first user is retrieved correctly, all the following are errors, and any attempt to save the configuration for the security page ends in a "No valid crumb was included in the request" 403 error.   Ddowngrading to version 0.31 fixed it for me too, but then I'm exposed to the CSRF vulnerability
            Hide
            ameyavs Ameya Vikram Singh added a comment -

            This issue affects me too.

            If I force the POST request the Jenkins Server loses all of its authentication setup, and reverts to an unsecured Jenkins setup.

            Show
            ameyavs Ameya Vikram Singh added a comment - This issue affects me too. If I force the POST request the Jenkins Server loses all of its authentication setup, and reverts to an unsecured Jenkins setup.
            Hide
            ionutbalutoiu Ionut Balutoiu added a comment -

            I can confirm both extra issues identified by Leandro Lucarella and Ameya Vikram Singh.

            Under these circumstances, the plugin update is literally unusable and everyone is affected by the CSRF vulnerability.

            Sam Gleske, I think this issue should be marked with high priority.

            Show
            ionutbalutoiu Ionut Balutoiu added a comment - I can confirm both extra issues identified by Leandro Lucarella and Ameya Vikram Singh . Under these circumstances, the plugin update is literally unusable and everyone is affected by the CSRF vulnerability. Sam Gleske , I think this issue should be marked with  high priority .
            Hide
            lucasocio Leandro Lucarella added a comment -

            In case it helps anyone dealing with this, I re-upgraded to 0.32 after applying some changes in 0.31. If I need to do more changes I will downgrade and upgrade again. Very far from the ideal, but it works as a workaround and you end up having /only/ a small window where you are vulnerable

            Show
            lucasocio Leandro Lucarella added a comment - In case it helps anyone dealing with this, I re-upgraded to 0.32 after applying some changes in 0.31. If I need to do more changes I will downgrade and upgrade again. Very far from the ideal, but it works as a workaround and you end up having /only/ a small window where you are vulnerable
            Hide
            joncormier Jon Cormier added a comment -

            I'm also seeing this problem with v0.32 of github-oauth-plugin and v2.164.2 of Jenkins

            Show
            joncormier Jon Cormier added a comment - I'm also seeing this problem with v0.32 of github-oauth-plugin and v2.164.2 of Jenkins
            Hide
            dizeee Aleksei Vesnin added a comment -

            We are having the same issue, but with Role Based Authorization Strategy plugin. Only the first name is retrieved, other requests return "Problem accessing /descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName. Reason: Forbidden" and "ERROR" instead of all names. Not sure if it's relevant, but here's what we have in Jenkins log:

            May 08, 2019 6:59:47 PM WARNING hudson.util.Secret toStringUse of toString() on hudson.util.Secret from java.lang.String.valueOf(String.java:2994). Prefer getPlainText() or getEncryptedValue() depending your needs. see https://jenkins.io/redirect/hudson.util.Secret/
            
            May 08, 2019 6:59:48 PM WARNING org.apache.http.client.protocol.ResponseProcessCookies processCookiesInvalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Wed, 08 May 2019 19:59:48 -0000". Invalid 'expires' attribute: Wed, 08 May 2019 19:59:48 -0000
            
            May 08, 2019 6:59:48 PM INFO com.squareup.okhttp.internal.Platform$JdkWithJettyBootPlatform getSelectedProtocolALPN callback dropped: SPDY and HTTP/2 are disabled. Is alpn-boot on the boot class path?
            
            

             

             

            Show
            dizeee Aleksei Vesnin added a comment - We are having the same issue, but with Role Based Authorization Strategy plugin. Only the first name is retrieved, other requests return "Problem accessing /descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName. Reason: Forbidden" and "ERROR" instead of all names. Not sure if it's relevant, but here's what we have in Jenkins log: May 08, 2019 6:59:47 PM WARNING hudson.util.Secret toStringUse of toString() on hudson.util.Secret from java.lang. String .valueOf( String .java:2994). Prefer getPlainText() or getEncryptedValue() depending your needs. see https: //jenkins.io/redirect/hudson.util.Secret/ May 08, 2019 6:59:48 PM WARNING org.apache.http.client.protocol.ResponseProcessCookies processCookiesInvalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Wed, 08 May 2019 19:59:48 -0000" . Invalid 'expires' attribute: Wed, 08 May 2019 19:59:48 -0000 May 08, 2019 6:59:48 PM INFO com.squareup.okhttp.internal.Platform$JdkWithJettyBootPlatform getSelectedProtocolALPN callback dropped: SPDY and HTTP/2 are disabled. Is alpn-boot on the boot class path?    
            Hide
            meterian_bot Meterian Bot added a comment - - edited

            Same here. Very frustrating as v0.31 is affected by this vulnerability:
            https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443

            But downgrading to 0.31 gives us back a configuration page that you can save

            Show
            meterian_bot Meterian Bot added a comment - - edited Same here. Very frustrating as v0.31 is affected by this vulnerability: https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443 But downgrading to 0.31 gives us back a configuration page that you can save
            Hide
            meccatol Hyungsung Kim added a comment -

            we've also had same issues. we've lost all authentication info with 0.32 ver, and we have to downgrade to 0.31.

            please fix this asap!

            Show
            meccatol Hyungsung Kim added a comment - we've also had same issues. we've lost all authentication info with 0.32 ver, and we have to downgrade to 0.31. please fix this asap!
            Hide
            jonkins Jon Kelley added a comment - - edited

            Jenkins ver 2.176.1

            We upgraded to `0.32` github oauth and experience this issue. (Previous: 0.29 worked)

            We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" is our life now.

             

              [EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround for this bug. We may be able to force CSRF disabled in Jenkins v2.176.1 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue.

            Thanks guys, CSRF implementations are never fun.  Hope a fix is found soon.

             

            Show
            jonkins Jon Kelley added a comment - - edited Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. (Previous: 0.29 worked) We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. " No valid crumb was included in the request " is our life now.     [EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround for this bug. We may be able to force CSRF disabled in Jenkins v2.176.1 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue. Thanks guys, CSRF implementations are never fun.  Hope a fix is found soon.  
            Hide
            jonkins Jon Kelley added a comment - - edited

            A strange update, the problems have mysteriously disappeared in my chrome console (was getting 403 forbidden for field element lookups etc) and I can edit the settings I couldn't before! My version still is `0.32` as if it failed to downgrade but the problem has mysteriously self-resolved on my end. ¯(ツ)/¯    If restarting Jenkins helped it should have been immediately apparent.

            Show
            jonkins Jon Kelley added a comment - - edited A strange update, the problems have mysteriously disappeared in my chrome console (was getting 403 forbidden for field element lookups etc) and I can edit the settings I couldn't before! My version still is `0.32` as if it failed to downgrade but the problem has mysteriously self-resolved on my end. ¯ (ツ) /¯    If restarting Jenkins helped it should have been immediately apparent.
            Hide
            shamil Alex Simenduev added a comment -

            We are using "Role Based Authorization Strategy" plugin, and experiencing same issue. 

            Is there any known workaround? Downgrading is problematic for us due to security implications.

             

            Show
            shamil Alex Simenduev added a comment - We are using "Role Based Authorization Strategy" plugin, and experiencing same issue.  Is there any known workaround? Downgrading is problematic for us due to security implications.  
            Hide
            docwhat Christian Höltje added a comment -

            I have the same issue. To reproduce:

            1. Goto $JENKINS_URL/manage
            2. Goto $JENKINS_URL/configureSecurity
            3. Press "Reload" or click the "Configure Global Security" and you get a traceback saying anonymous doesn't have the right permissions.

            If you get the "Retry with POST" page and you look at the networking console, you'll see that it actually re-logged you in by visiting github and coming back. That's why the POST got converted to a GET.

            As above, I get these log entries everytime:

            Jul 18, 2019 11:20:33 AM hudson.util.Secret toString
            WARNING: Use of toString() on hudson.util.Secret from java.lang.String.valueOf(String.java:2994). Prefer getPlainText() or getEncryptedValue() depending your needs. see https://jenkins.io/redirect/hudson.util.Secret/
            Jul 18, 2019 11:20:34 AM org.apache.http.client.protocol.ResponseProcessCookies processCookies
            WARNING: Invalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Thu, 18 Jul 2019 16:20:34 -0000". Invalid 'expires' attribute: Thu, 18 Jul 2019 16:20:34 -0000
            

            This is the full traceback mentioned above:

            org.apache.commons.jelly.JellyTagException: jar:file:/var/lib/jenkins/war/WEB-INF/lib/jenkins-core-2.176.2.jar!/lib/layout/view.jelly:39:20: <d:invokeBody> anonymous is missing the Overall/Administer permission
            	at org.apache.commons.jelly.impl.TagScript.handleException(TagScript.java:726)
            	at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:281)
            	at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            	at org.apache.commons.jelly.tags.core.CoreTagLibrary$2.run(CoreTagLibrary.java:105)
            	at org.kohsuke.stapler.jelly.CallTagLibScript.run(CallTagLibScript.java:120)
            	at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            	at org.apache.commons.jelly.tags.core.CoreTagLibrary$2.run(CoreTagLibrary.java:105)
            	at org.kohsuke.stapler.jelly.CallTagLibScript.run(CallTagLibScript.java:120)
            	at org.kohsuke.stapler.jelly.groovy.JellyBuilder.doInvokeMethod(JellyBuilder.java:276)
            	at org.kohsuke.stapler.jelly.groovy.Namespace$ProxyImpl.invoke(Namespace.java:92)
            	at com.sun.proxy.$Proxy108.layout(Unknown Source)
            	at lib.LayoutTagLib$layout.call(Unknown Source)
            	at hudson.security.GlobalSecurityConfiguration.index.run(index.groovy:15)
            	at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:74)
            	at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:62)
            	at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:63)
            	at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:53)
            	at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:56)
            	at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:43)
            	at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:282)
            	at org.kohsuke.stapler.jelly.groovy.GroovyFacet.handleIndexRequest(GroovyFacet.java:93)
            	at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:32)
            	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
            	at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:456)
            	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676)
            	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
            	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
            	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
            	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
            	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
            	at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
            	at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
            	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
            	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
            	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
            	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
            	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
            	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
            	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
            	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
            	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
            	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
            	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
            	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
            	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
            	at org.eclipse.jetty.server.Server.handle(Server.java:502)
            	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
            	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
            	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
            	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
            	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
            	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
            	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
            	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
            	at java.lang.Thread.run(Thread.java:748)
            Caused by: hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission
            	at hudson.security.ACL.checkPermission(ACL.java:73)
            	at hudson.security.AccessControlled.checkPermission(AccessControlled.java:47)
            	at hudson.Functions.checkPermission(Functions.java:771)
            	at hudson.Functions.checkPermission(Functions.java:791)
            	at sun.reflect.GeneratedMethodAccessor1836.invoke(Unknown Source)
            	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            	at java.lang.reflect.Method.invoke(Method.java:498)
            	at org.apache.commons.jexl.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:258)
            	at org.apache.commons.jexl.parser.ASTMethod.execute(ASTMethod.java:104)
            	at org.apache.commons.jexl.parser.ASTReference.execute(ASTReference.java:83)
            	at org.apache.commons.jexl.parser.ASTReference.value(ASTReference.java:57)
            	at org.apache.commons.jexl.parser.ASTReferenceExpression.value(ASTReferenceExpression.java:51)
            	at org.apache.commons.jexl.ExpressionImpl.evaluate(ExpressionImpl.java:80)
            	at hudson.ExpressionFactory2$JexlExpression.evaluate(ExpressionFactory2.java:74)
            	at org.apache.commons.jelly.parser.EscapingExpression.evaluate(EscapingExpression.java:24)
            	at org.apache.commons.jelly.impl.ExpressionScript.run(ExpressionScript.java:66)
            	at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            	at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            	at org.kohsuke.stapler.jelly.ReallyStaticTagLibrary$1.run(ReallyStaticTagLibrary.java:99)
            	at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            	at org.kohsuke.stapler.jelly.ReallyStaticTagLibrary$1.run(ReallyStaticTagLibrary.java:99)
            	at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            	at org.kohsuke.stapler.jelly.CallTagLibScript$1.run(CallTagLibScript.java:99)
            	at org.apache.commons.jelly.tags.define.InvokeBodyTag.doTag(InvokeBodyTag.java:91)
            	at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:269)
            	... 100 more
            Caused: java.lang.RuntimeException
            	at org.kohsuke.stapler.jelly.groovy.JellyBuilder.doInvokeMethod(JellyBuilder.java:280)
            	at org.kohsuke.stapler.jelly.groovy.Namespace$ProxyImpl.invoke(Namespace.java:92)
            	at com.sun.proxy.$Proxy108.layout(Unknown Source)
            	at lib.LayoutTagLib$layout.call(Unknown Source)
            	at hudson.security.GlobalSecurityConfiguration.index.run(index.groovy:15)
            	at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:74)
            	at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:62)
            	at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:63)
            	at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:53)
            	at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:56)
            	at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:43)
            	at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:282)
            Caused: javax.servlet.ServletException
            	at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:285)
            	at org.kohsuke.stapler.jelly.groovy.GroovyFacet.handleIndexRequest(GroovyFacet.java:93)
            	at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:32)
            	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
            	at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:456)
            	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676)
            	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
            	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
            	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
            	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
            	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
            	at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
            	at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
            	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
            	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
            	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
            	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
            	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
            	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
            	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
            	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
            	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
            	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
            	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
            	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
            	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
            	at org.eclipse.jetty.server.Server.handle(Server.java:502)
            	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
            	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
            	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
            	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
            	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
            	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
            	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
            	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
            	at java.lang.Thread.run(Thread.java:748)
            
            Show
            docwhat Christian Höltje added a comment - I have the same issue. To reproduce: Goto $JENKINS_URL/manage Goto $JENKINS_URL/configureSecurity Press "Reload" or click the "Configure Global Security" and you get a traceback saying anonymous doesn't have the right permissions. If you get the "Retry with POST" page and you look at the networking console, you'll see that it actually re-logged you in by visiting github and coming back. That's why the POST got converted to a GET. As above, I get these log entries everytime: Jul 18, 2019 11:20:33 AM hudson.util.Secret toString WARNING: Use of toString() on hudson.util.Secret from java.lang.String.valueOf(String.java:2994). Prefer getPlainText() or getEncryptedValue() depending your needs. see https://jenkins.io/redirect/hudson.util.Secret/ Jul 18, 2019 11:20:34 AM org.apache.http.client.protocol.ResponseProcessCookies processCookies WARNING: Invalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Thu, 18 Jul 2019 16:20:34 -0000". Invalid 'expires' attribute: Thu, 18 Jul 2019 16:20:34 -0000 This is the full traceback mentioned above: org.apache.commons.jelly.JellyTagException: jar:file:/var/lib/jenkins/war/WEB-INF/lib/jenkins-core-2.176.2.jar!/lib/layout/view.jelly:39:20: <d:invokeBody> anonymous is missing the Overall/Administer permission at org.apache.commons.jelly.impl.TagScript.handleException(TagScript.java:726) at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:281) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.tags.core.CoreTagLibrary$2.run(CoreTagLibrary.java:105) at org.kohsuke.stapler.jelly.CallTagLibScript.run(CallTagLibScript.java:120) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.tags.core.CoreTagLibrary$2.run(CoreTagLibrary.java:105) at org.kohsuke.stapler.jelly.CallTagLibScript.run(CallTagLibScript.java:120) at org.kohsuke.stapler.jelly.groovy.JellyBuilder.doInvokeMethod(JellyBuilder.java:276) at org.kohsuke.stapler.jelly.groovy.Namespace$ProxyImpl.invoke(Namespace.java:92) at com.sun.proxy.$Proxy108.layout(Unknown Source) at lib.LayoutTagLib$layout.call(Unknown Source) at hudson.security.GlobalSecurityConfiguration.index.run(index.groovy:15) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:74) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:62) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:63) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:53) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:56) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:43) at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:282) at org.kohsuke.stapler.jelly.groovy.GroovyFacet.handleIndexRequest(GroovyFacet.java:93) at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:32) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:456) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:502) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) at java.lang.Thread.run(Thread.java:748) Caused by: hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:73) at hudson.security.AccessControlled.checkPermission(AccessControlled.java:47) at hudson.Functions.checkPermission(Functions.java:771) at hudson.Functions.checkPermission(Functions.java:791) at sun.reflect.GeneratedMethodAccessor1836.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.commons.jexl.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:258) at org.apache.commons.jexl.parser.ASTMethod.execute(ASTMethod.java:104) at org.apache.commons.jexl.parser.ASTReference.execute(ASTReference.java:83) at org.apache.commons.jexl.parser.ASTReference.value(ASTReference.java:57) at org.apache.commons.jexl.parser.ASTReferenceExpression.value(ASTReferenceExpression.java:51) at org.apache.commons.jexl.ExpressionImpl.evaluate(ExpressionImpl.java:80) at hudson.ExpressionFactory2$JexlExpression.evaluate(ExpressionFactory2.java:74) at org.apache.commons.jelly.parser.EscapingExpression.evaluate(EscapingExpression.java:24) at org.apache.commons.jelly.impl.ExpressionScript.run(ExpressionScript.java:66) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.ReallyStaticTagLibrary$1.run(ReallyStaticTagLibrary.java:99) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.ReallyStaticTagLibrary$1.run(ReallyStaticTagLibrary.java:99) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.CallTagLibScript$1.run(CallTagLibScript.java:99) at org.apache.commons.jelly.tags.define.InvokeBodyTag.doTag(InvokeBodyTag.java:91) at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:269) ... 100 more Caused: java.lang.RuntimeException at org.kohsuke.stapler.jelly.groovy.JellyBuilder.doInvokeMethod(JellyBuilder.java:280) at org.kohsuke.stapler.jelly.groovy.Namespace$ProxyImpl.invoke(Namespace.java:92) at com.sun.proxy.$Proxy108.layout(Unknown Source) at lib.LayoutTagLib$layout.call(Unknown Source) at hudson.security.GlobalSecurityConfiguration.index.run(index.groovy:15) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:74) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:62) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:63) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:53) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:56) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:43) at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:282) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:285) at org.kohsuke.stapler.jelly.groovy.GroovyFacet.handleIndexRequest(GroovyFacet.java:93) at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:32) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:456) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:502) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) at java.lang.Thread.run(Thread.java:748)
            Hide
            docwhat Christian Höltje added a comment -

            Doing some googling...

            The has_recent_activity=1 cookie seems to be coming from GitHub. I suspect that the cookie parser being used by Jenkins is broken.

            Show
            docwhat Christian Höltje added a comment - Doing some googling... The has_recent_activity=1 cookie seems to be coming from GitHub. I suspect that the cookie parser being used by Jenkins is broken.
            Hide
            sag47 Sam Gleske added a comment -

            I've tried a couple of ways to reproduce this locally and I'm not able to reproduce it locally.  I configured plugin 0.31 and upgraded to 0.32 with no problems.  I'll try another fresh install and use 0.29 since I see others reporting they're upgrading from that version.

            Show
            sag47 Sam Gleske added a comment - I've tried a couple of ways to reproduce this locally and I'm not able to reproduce it locally.  I configured plugin 0.31 and upgraded to 0.32 with no problems.  I'll try another fresh install and use 0.29 since I see others reporting they're upgrading from that version.
            Hide
            sag47 Sam Gleske added a comment - - edited

            Okay I was able to replicate the issue.  Replication steps:

            1. Have two GitHub users.  githubadmin and githubuser for example where githubadmin is a Jenkins admin and github user is a non-admin user in Jenkins.
            2. Have both users log in and authorize with GitHub OAuth.
            3. Configure project-based matrix authorization and add Overall:Read to githubuser and Overall:Administer to githubadmin.
            4. IMPORTANT: On githubuser log into GitHub settings and de-authorize the OAuth app.  This means Jenkins will have a token for the user but it won't be valid because the user de-authorized the app.
            5. Using githubadmin I visited the configureSecurity page in Jenkins and got the following stack trace.
            githubuser (name changed intentionally to be generic)
            
            java.lang.NullPointerException
            	at org.jenkinsci.plugins.GithubAuthenticationToken.<init>(GithubAuthenticationToken.java:205)
            	at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:700)
            	at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:140)
            	at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222)
            	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
            	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
            	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
            	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
            	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
            	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535)
            	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
            	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
            	at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:280)
            	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
            	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
            	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676)
            	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
            	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
            	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
            	at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)
            	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
            	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
            	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
            	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
            	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
            	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
            	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
            	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
            	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
            	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
            	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
            	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1700)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
            	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
            	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
            	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1667)
            	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
            	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
            	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
            	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
            	at org.eclipse.jetty.server.Server.handle(Server.java:505)
            	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
            	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
            	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
            	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
            	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
            	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
            	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
            	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698)
            	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
            	at java.lang.Thread.run(Thread.java:748)
            

            The root cause lies within impersonate. When users are validated it doesn't use the admin token. Instead, it attempts to use the token for each individual user in the project-based matrix authorization form.

            I'll need to investigate the fix but have identified the root cause.

            Show
            sag47 Sam Gleske added a comment - - edited Okay I was able to replicate the issue.  Replication steps: Have two GitHub users.  githubadmin and githubuser for example where githubadmin is a Jenkins admin and github user is a non-admin user in Jenkins. Have both users log in and authorize with GitHub OAuth. Configure project-based matrix authorization and add Overall:Read to githubuser and Overall:Administer to githubadmin. IMPORTANT: On githubuser log into GitHub settings and de-authorize the OAuth app.  This means Jenkins will have a token for the user but it won't be valid because the user de-authorized the app. Using githubadmin I visited the configureSecurity page in Jenkins and got the following stack trace. githubuser (name changed intentionally to be generic) java.lang.NullPointerException at org.jenkinsci.plugins.GithubAuthenticationToken.<init>(GithubAuthenticationToken.java:205) at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:700) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:140) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145) at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:280) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1700) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1667) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:505) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804) at java.lang.Thread.run(Thread.java:748) The root cause lies within impersonate. When users are validated it doesn't use the admin token. Instead, it attempts to use the token for each individual user in the project-based matrix authorization form. I'll need to investigate the fix but have identified the root cause.
            Show
            sag47 Sam Gleske added a comment - https://github.com/jenkinsci/github-oauth-plugin/blob/github-oauth-0.32/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java#L694-L700 is the problematic section of code
            Hide
            sag47 Sam Gleske added a comment -

            This seems to have been caused by https://github.com/jenkinsci/github-oauth-plugin/pull/109

            However, PR 109 is pretty important for how impersonation works. Need to figure out a happy medium.

            Show
            sag47 Sam Gleske added a comment - This seems to have been caused by https://github.com/jenkinsci/github-oauth-plugin/pull/109 However, PR 109 is pretty important for how impersonation works. Need to figure out a happy medium.
            Show
            sag47 Sam Gleske added a comment - Here's the fix https://github.com/jenkinsci/github-oauth-plugin/pull/115
            Hide
            sag47 Sam Gleske added a comment -

            https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/github-oauth/0.33/github-oauth-0.33.hpi has been release and I verified the fix by upgrading locally to the new version. It should be available in the update center in roughly 8 hours or so.

            Show
            sag47 Sam Gleske added a comment - https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/github-oauth/0.33/github-oauth-0.33.hpi has been release and I verified the fix by upgrading locally to the new version. It should be available in the update center in roughly 8 hours or so.
            Hide
            joncormier Jon Cormier added a comment -

            I installed 0.33 and the problem no longer appears for me. Thanks Sam Gleske

            Show
            joncormier Jon Cormier added a comment - I installed 0.33 and the problem no longer appears for me. Thanks Sam Gleske
            Hide
            steveims Steve Ims added a comment -

            0.33 working for me too.  Thanks Sam Gleske !

            Show
            steveims Steve Ims added a comment - 0.33 working for me too.  Thanks Sam Gleske !
            Hide
            sag47 Sam Gleske added a comment -

            Jon Cormier Steve Ims no problem; thanks for reporting back your own testing results since it helps me validate the solution was a fix.

            Show
            sag47 Sam Gleske added a comment - Jon Cormier Steve Ims no problem; thanks for reporting back your own testing results since it helps me validate the solution was a fix.

              People

              • Assignee:
                sag47 Sam Gleske
                Reporter:
                franciscocpg Francisco Guimaraes
              • Votes:
                27 Vote for this issue
                Watchers:
                36 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: