Opened 7 years ago

Closed 7 years ago

Form-based authentication support

Reported by: Owned by: anonymous roadrunner normal HudsonTracPlugin normal mariuszs, hetslov@…, chris@… 0.11

Description

first thanks for the plugin! I just secured hudson and now i am getting a 403 error when i want to see the Timeline (Hudson Builds event provider (HudsonTracPlugin) failed ... HTTPError: HTTP Error 403: Forbidden. This most likely means you configured a wrong job_url.)

Configuration:

• hudson with ldap login, running on tomcat (windows). manual login works fine.
• trac on ubuntu. connection with unsecured hudson works fine.

-> username/password is correct, i double-checked it. I also tried the no_chal patch wihtout success. Any ideas what i may try/check?

Thanks!

comment:1 Changed 7 years ago by roadrunner

If had a wrong username/password you'd be seeing 401's; 403 means the user is not allowed to see that URL. The exact URL being retrieved is logged as part of the error - did you try exactly that URL manually? Since you say that it works with unsecured hudson, I'm presuming the job_url is therefore correct; in that case it looks like you've configured hudson to restrict access too much - try playing around with the permissions (I'm presuming you're using matrix-base security?).

comment:2 Changed 7 years ago by anonymous

Thanks for the quick reply!

I tried to put the URL directly into the adress-bar of my browser: It loaded the authetication-site from hudson and after providing my credetials it showed the xml. All good here.

Next thing I tried is to provide a false username/password in my trac.ini -> Still a 403 error! no 401 at all...

You are right, I am using matrix configuration (project-based). But I granted all rights to the user I want to use for trac integration, so that sould not be the problem.

Any more ideas what i could try or debug?

thanks for any help!

comment:3 Changed 7 years ago by anonymous

I have this same problem. Project based matrix configuration, LDAP auths and all roles asigned to trac user. I can open list of builds by hands.

HTTP Error 403: Forbidden

comment:4 Changed 7 years ago by anonymous

Cc: mariuszs added; anonymous removed

comment:5 Changed 7 years ago by roadrunner

I need a some more details (sorry, don't have time to set up a site to test this right now): what do you mean "it loaded the authentication-site"? Does it show you a page with a form to enter username and password, or does it pop up the browser's username/password dialog? If the former, then that's the issue: this plugin only supports http authentication, not form-based authentication.

comment:6 Changed 7 years ago by mariuszs

I think "it loaded the authentication-site" is about hudson form login when build list was accessed by hand.

Two diffrent users report this problem.

comment:7 Changed 7 years ago by mariuszs

"this plugin only supports http authentication, not form-based authentication." Hmm, I think form based authentication in hudson is more common and easy to set up than http authentication. Please add this info to plugin homepage, because this plugin is useless now for most of users.

comment:8 Changed 7 years ago by mariuszs

More, switching from form based login to http authentication is not possible. With form based authentication, project based matrix security setup and LDAP configuration Hudson can read user roles from LDAP and assingn permission to jobs. This cant be done with http authentication.

comment:10 follow-up:  11 Changed 7 years ago by steve

Hi,

thanks for the replies, i am the anonymous who started this topic ;-)

As mariuszs said when you use ldap-authentication in hudson (which we need in our setup to give permissions to ldap-groups for jobs) there is only form-based authentication (at least i cant find other options...).

Maybe change the type to enhancement (add form based authentication support)? Or are there any ideas for a workaround?

Many thanks, Steve

comment:11 in reply to:  10 Changed 7 years ago by roadrunner

Summary: 403 Error → Form-based authentication support defect → enhancement

As mariuszs said when you use ldap-authentication in hudson (which we need in our setup to give permissions to ldap-groups for jobs) there is only form-based authentication (at least i cant find other options...).

Ok, that sucks. Maybe hudson could use an enhancement here.

Maybe change the type to enhancement (add form based authentication support)?

I'm changing the ticket.

If the form doesn't using any sort of form-token (xss protection) and the login-url is well-known (e.g. can be reliably computed from the job_url) then is probably easy enough to implement; otherwise it'll need some html-parsing etc too - yuck. In any case it'll be a few weeks before I can work on this. Unless somebody else wants to take a stab at it.

comment:12 Changed 7 years ago by netslow

So, what about form based authentication support?

comment:15 Changed 7 years ago by roadrunner

Resolution: → fixed new → closed

(In [7895]) Added support for hudson's form-based authentication.

This is based on a modified version of the patch submitted to #6332. Instead of requiring the user to configure yet another option, Hudson's 403 response is used to trigger the pre-emptive sending of auth info. This is only very slightly less secure than the config option, and only so in scenarios where the authentication for Hudson was using Digest auth but due to some config change Hudson is now returning a 403 - in this case the plugin will start sending the (essentially cleartext) username and password which could possibly now be snooped.

This closes #6332 and #6520.

Modify Ticket

Change Properties