-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
Java(TM) SE Runtime Environment (build 1.6.0_17-b04)
Java HotSpot(TM) Client VM (build 14.3-b01, mixed mode, sharing)
I tried to monitor an external job in Hudson according to http://wiki.jenkins-ci.org/display/JENKINS/Monitoring+external+jobs. My password has a hash sign (#) in it, so I specified the following URL as HUDSON_HOME:
http://user@test#password@localhost/hudson/
You can see in http://fisheye.jenkins-ci.org/browse/Hudson/trunk/hudson/main/core/src/main/java/hudson/Main.java?r=HEAD that Hudson creates a java.net.URL object out of the HUDSON_HOME variable and extracts the credentials using its getUserInfo() method (http://java.sun.com/javase/6/docs/api/java/net/URL.html#getUserInfo%28%29). Because of this, it is not possible to encode the # as %23, as new URL("http://user:test%23password@localhost/hudson/").getUserInfo() returns "user:test%23password", which contains the wrong password of course.
The problem is now that Hudson does not call the URL http://localhost/hudson/ here, but instead the URL http://localhost/. This might be a bug in the implementation of the URL class, as it seems to sometimes interpret the # sign as the beginning of the URL anchor part. Here are some example return values of the methods of a new URL("http://user:test#password@localhost/hudson/") object:
getUserInfo(): "user:test#password"
getHost(): "localhost"
getPath(): ""
getRef(): "password@localhost/hudson/"
Even if this is a bug in Java, Hudson should still provide a workaround for this to work with the current and older Java versions. I could imagine three ways to do this:
1. Remove the user and password from the URL before calling URL.openConnection()
2. Call URLDecoder.decode() on URL.getUserInfo() so that I can escape the # sign with %23. This would be backwards compatible except for passwords that contain a % sign.
3. Pass the user name and password outside the URL in different environment variables or arguments.