Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-8214

Try to access to a private URL returns a 404 instead of a 401

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Environment:
      hudson 1.387 + Apache/modjk
    • Similar Issues:

      Description

      This problem exists for a very long time and even if it isn't blocker it is annoying.
      You can easily reproduce it by creating a job in an hudson instance (using the security matrix) and you don't give access to it to anonymous.
      Logout and try to access to the project URL

      This is annoying because teams are receiving emails from hudson saying to have a look at the url of the build failure and they are faced to a 404 ...

      A 501 error (with the login page ?) should be really better in term of ergonomics

        Attachments

          Issue Links

            Activity

            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            I think the conflicting school of thought here is that if it returns 401, it reveals the information that the project exists, which is a problem for some people.

            Perhaps 404 page should suggest a login?

            Or we can always add a system property that secretly controls the behaviour...

            Show
            kohsuke Kohsuke Kawaguchi added a comment - I think the conflicting school of thought here is that if it returns 401, it reveals the information that the project exists, which is a problem for some people. Perhaps 404 page should suggest a login? Or we can always add a system property that secretly controls the behaviour...
            Hide
            aheritier Arnaud Héritier added a comment -

            I agree about the conflict of point of view.
            Even if it's weird to have a login in the 404 it could help if we explain to our users the behavior.
            A parameter (hudson config or system property) to control the behavior is the best solution.
            Even if I understand the 404 solution, my Hudson server isn't part of Secret US Embassy resources ( ) thus I prefer to provide an ergonomics solution (401+login page) to my users

            Show
            aheritier Arnaud Héritier added a comment - I agree about the conflict of point of view. Even if it's weird to have a login in the 404 it could help if we explain to our users the behavior. A parameter (hudson config or system property) to control the behavior is the best solution. Even if I understand the 404 solution, my Hudson server isn't part of Secret US Embassy resources ( ) thus I prefer to provide an ergonomics solution (401+login page) to my users
            Hide
            harrygg Harry G. added a comment -

            My practical experience is also rather annoying, because users regularly complain that they got an invalid URL via E-Mail.

            I would not display any http status at all in these cases.
            My proposal:

            • not logged in: display a message like "You need to log in" together with the login fields and redirect afterwards
            • logged in: display a message like "You have no access to this page"
              This is IMHO how many other webapps do it.
            Show
            harrygg Harry G. added a comment - My practical experience is also rather annoying, because users regularly complain that they got an invalid URL via E-Mail. I would not display any http status at all in these cases. My proposal: not logged in: display a message like "You need to log in" together with the login fields and redirect afterwards logged in: display a message like "You have no access to this page" This is IMHO how many other webapps do it.
            Hide
            harrygg Harry G. added a comment -

            Regarding Kohsukes comment
            > if it returns 401, it reveals the information that the project exists, which is a problem for some people.
            the non existing URLs should also redirect to the loghin page, so that nothing will be revealed.

            If this is still not a feasable solution for all users, a config checkbox like "redirect invalid URLs to login page when not logged in" could help.

            Show
            harrygg Harry G. added a comment - Regarding Kohsukes comment > if it returns 401, it reveals the information that the project exists, which is a problem for some people. the non existing URLs should also redirect to the loghin page, so that nothing will be revealed. If this is still not a feasable solution for all users, a config checkbox like "redirect invalid URLs to login page when not logged in" could help.
            Show
            cforce cforce added a comment - https://issues.jenkins-ci.org/browse/JENKINS-8930?focusedCommentId=148959#comment-148959 is a dupe
            Hide
            cforce cforce added a comment - - edited

            If i access uri on jenkins beyond vase url, eg https://bhaus.gruppe.de/jenkins/job/MyJOB/ i get HTTP 404 .
            If i call https://bhaus.gruppe.de/jenkins/ and authenficate with user /pwd ( in my case project matrix against ldap realm) and the call https://bhaus.gruppe.de/jenkins/job/MyJOB/ it works!

            My esceptation would be that if not authenficated the user get redirected to login mask and the redirectd to entered url after successfull authefication.
            I think its a War file web.xml. configuration issue.

            This behaviour is very annoying, esepcially we use a redmine plugin for jenkins which states link in the issue tracker, which beeing clicked lead to 404 because use isn't authorized the first time in the browser session.
            We have no SSO although redmine and jenkins are both backed by ldap server, a new login is needed per session.

            This problems is old now and again i vote to fix this very soon.
            Tx for contribution and help!

            Show
            cforce cforce added a comment - - edited If i access uri on jenkins beyond vase url, eg https://bhaus.gruppe.de/jenkins/job/MyJOB/ i get HTTP 404 . If i call https://bhaus.gruppe.de/jenkins/ and authenficate with user /pwd ( in my case project matrix against ldap realm) and the call https://bhaus.gruppe.de/jenkins/job/MyJOB/ it works! My esceptation would be that if not authenficated the user get redirected to login mask and the redirectd to entered url after successfull authefication. I think its a War file web.xml. configuration issue. This behaviour is very annoying, esepcially we use a redmine plugin for jenkins which states link in the issue tracker, which beeing clicked lead to 404 because use isn't authorized the first time in the browser session. We have no SSO although redmine and jenkins are both backed by ldap server, a new login is needed per session. This problems is old now and again i vote to fix this very soon. Tx for contribution and help!
            Hide
            buildscientist Youssuf ElKalay added a comment -

            I think this is still an outstanding issue. Not sure if it's just a web.xml issue - you can specify a error handler for 404's but that won't solve the issue of not being able to get to the job in question. The login handler will likely need to be modified to accept redirecting to the job url in the email.

            Show
            buildscientist Youssuf ElKalay added a comment - I think this is still an outstanding issue. Not sure if it's just a web.xml issue - you can specify a error handler for 404's but that won't solve the issue of not being able to get to the job in question. The login handler will likely need to be modified to accept redirecting to the job url in the email.
            Hide
            lacostej lacostej added a comment -

            I sent a pull request a few days ago. https://github.com/jenkinsci/jenkins/pull/445

            Maybe someone wants to comment on it ?

            Show
            lacostej lacostej added a comment - I sent a pull request a few days ago. https://github.com/jenkinsci/jenkins/pull/445 Maybe someone wants to comment on it ?
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jerome Lacoste
            Path:
            changelog.html
            core/src/main/java/hudson/model/Item.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/model/Messages.properties
            http://jenkins-ci.org/commit/jenkins/84f08379e8a06f9cec0765da0ac397950fbad1d3
            Log:
            [FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jerome Lacoste Path: changelog.html core/src/main/java/hudson/model/Item.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/84f08379e8a06f9cec0765da0ac397950fbad1d3 Log: [FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jerome Lacoste
            Path:
            changelog.html
            core/src/main/java/hudson/model/Item.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/model/Messages.properties
            http://jenkins-ci.org/commit/jenkins/3c349c0cd460bea2f017b52e92550bab0f91247e
            Log:
            Merge pull request #453 from lacostej/lacostej-JENKINS-8214-access-private-URL-2

            [FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs

            Compare: https://github.com/jenkinsci/jenkins/compare/5f92a03...3c349c0

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jerome Lacoste Path: changelog.html core/src/main/java/hudson/model/Item.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/3c349c0cd460bea2f017b52e92550bab0f91247e Log: Merge pull request #453 from lacostej/lacostej- JENKINS-8214 -access-private-URL-2 [FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs Compare: https://github.com/jenkinsci/jenkins/compare/5f92a03...3c349c0
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #1679
            [FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs (Revision 84f08379e8a06f9cec0765da0ac397950fbad1d3)

            Result = SUCCESS
            jerome.lacoste : 84f08379e8a06f9cec0765da0ac397950fbad1d3
            Files :

            • core/src/main/java/hudson/model/Item.java
            • changelog.html
            • core/src/main/java/jenkins/model/Jenkins.java
            • core/src/main/resources/hudson/model/Messages.properties
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #1679 [FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs (Revision 84f08379e8a06f9cec0765da0ac397950fbad1d3) Result = SUCCESS jerome.lacoste : 84f08379e8a06f9cec0765da0ac397950fbad1d3 Files : core/src/main/java/hudson/model/Item.java changelog.html core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Messages.properties
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_ui-changes_branch #26
            [FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs (Revision 84f08379e8a06f9cec0765da0ac397950fbad1d3)

            Result = SUCCESS
            jerome.lacoste : 84f08379e8a06f9cec0765da0ac397950fbad1d3
            Files :

            • core/src/main/resources/hudson/model/Messages.properties
            • changelog.html
            • core/src/main/java/hudson/model/Item.java
            • core/src/main/java/jenkins/model/Jenkins.java
            Show
            dogfood dogfood added a comment - Integrated in jenkins_ui-changes_branch #26 [FIXED JENKINS-8214] Added a DISCOVER permission to allow anonymous users to be presented the login screen when accessing job URLs (Revision 84f08379e8a06f9cec0765da0ac397950fbad1d3) Result = SUCCESS jerome.lacoste : 84f08379e8a06f9cec0765da0ac397950fbad1d3 Files : core/src/main/resources/hudson/model/Messages.properties changelog.html core/src/main/java/hudson/model/Item.java core/src/main/java/jenkins/model/Jenkins.java

              People

              • Assignee:
                Unassigned
                Reporter:
                aheritier Arnaud Héritier
              • Votes:
                9 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: