[JIRA] (JENKINS-57154) HTTP ERROR 403

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes updated an issue

Jenkins / JENKINS-57154 HTTP ERROR 403 Change By: Francisco Guimaraes After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason:    Forbidden {noformat}   The first user is has its name retrieved successfully but all others has the error mentioned above.   See the attachment *users.png*. Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes created an issue

Jenkins / JENKINS-57154 HTTP ERROR 403

Issue Type: Bug Assignee: Sam Gleske Attachments: users.png Components: github-oauth-plugin Created: 2019-04-23 12:36 Environment: OS: Ubuntu 18.04.2 - 64 bit Java: openjdk version "1.8.0_191" github-oauth-plugin: 0.32 Jenkins: 2.164.2 Priority: Major Reporter: Francisco Guimaraes

After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user:

HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason: Forbidden   The first user is has its name retrieved successfully but all others has the error mentioned above.   See the attachment users.png.

Add Comment

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes updated an issue

Jenkins / JENKINS-57154 HTTP ERROR 403

Change By: Francisco Guimaraes

After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user:

{noformat}

HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason:    Forbidden

{noformat}   The first user is has its name retrieved successfully but all others hve have the error mentioned above.   See the attachment *users.png*.

Add Comment

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes updated an issue

Jenkins / JENKINS-57154 HTTP ERROR 403

Change By: Francisco Guimaraes Attachment: users.png

Add Comment

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes updated an issue

Jenkins / JENKINS-57154 HTTP ERROR 403 Change By: Francisco Guimaraes

After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason:    Forbidden {noformat}

The first user is has its name retrieved successfully but all others has hve the error mentioned above.   See the attachment *users.png*.

Add Comment

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes updated an issue

Jenkins / JENKINS-57154 HTTP ERROR 403

Change By: Francisco Guimaraes Attachment: users.png

Add Comment

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes updated an issue

Jenkins / JENKINS-57154 HTTP ERROR 403 Change By: Francisco Guimaraes

After upgrading to github-oauth-plugin 0.32 I started to see this error in `/configureSecurity` when it tries to retrieve the name of a github user: {noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason:    Forbidden {noformat}

The first user is has its name retrieved successfully but all others have the error mentioned above.   See the attachment *users.png*.

Add Comment

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes updated an issue

Jenkins / JENKINS-57154 HTTP ERROR 403 Change By: Francisco Guimaraes

After upgrading to github-oauth-plugin 0.32 I started to see this error in ` * /configureSecurity ` * when it tries to retrieve the name of a github user:

{noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason:    Forbidden {noformat}

The first user has its name retrieved successfully but all others have the error mentioned above.   See the attachment *users.png*.

Add Comment

[francisco.cpg@gmail.com (JIRA)]

Francisco Guimaraes updated an issue

Jenkins / JENKINS-57154 HTTP ERROR 403 Change By: Francisco Guimaraes

After upgrading to github-oauth-plugin 0.32 I started to see this error in */configureSecurity* when it tries to retrieve the name of a github user:

{noformat} HTTP ERROR 403 Problem accessing /descriptorByName/hudson.security.ProjectMatrixAuthorizationStrategy/checkName. Reason:    Forbidden {noformat}   The first user has its name retrieved successfully but all others have the error mentioned above.   See the attachment *users.png*.

The workaround for now is revert to 0.31.

Add Comment

[ionut@balutoiu.com (JIRA)]

Ionut Balutoiu commented on JENKINS-57154

Re: HTTP ERROR 403 This issue affects me as well. Considering that version 0.31 is affected by a CSRF vulnerability (https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443), do you guys have any ETA for fixing this, so we can update to 0.32 as soon as possible ? Without any workaround for this issue, it's hard to maintain a Matrix-based security authorization using 0.32, since you'll get error 403 for every user present there.   Thank-you, Ionut

Add Comment

[leandro.lucarella@sociomantic.com (JIRA)]

Leandro Lucarella commented on JENKINS-57154

Re: HTTP ERROR 403 Also affected, same description, first user is retrieved correctly, all the following are errors, and any attempt to save the configuration for the security page ends in a "No valid crumb was included in the request" 403 error.   Ddowngrading to version 0.31 fixed it for me too, but then I'm exposed to the CSRF vulnerability

Add Comment

[ameya.v.singh@gmail.com (JIRA)]

Ameya Vikram Singh commented on JENKINS-57154

Re: HTTP ERROR 403 This issue affects me too. If I force the POST request the Jenkins Server loses all of its authentication setup, and reverts to an unsecured Jenkins setup.

Add Comment

[ionut@balutoiu.com (JIRA)]

Ionut Balutoiu commented on JENKINS-57154

Re: HTTP ERROR 403 I can confirm both extra issues identified by Leandro Lucarella and Ameya Vikram Singh. Under these circumstances, the plugin update is literally unusable and everyone is affected by the CSRF vulnerability. Sam Gleske, I think this issue should be marked with high priority.

Add Comment

[leandro.lucarella@sociomantic.com (JIRA)]

Leandro Lucarella commented on JENKINS-57154

Re: HTTP ERROR 403 In case it helps anyone dealing with this, I re-upgraded to 0.32 after applying some changes in 0.31. If I need to do more changes I will downgrade and upgrade again. Very far from the ideal, but it works as a workaround and you end up having /only/ a small window where you are vulnerable

Add Comment

[jon_cormier@yahoo.com (JIRA)]

Jon Cormier commented on JENKINS-57154

Re: HTTP ERROR 403 I'm also seeing this problem with v0.32 of github-oauth-plugin and v2.164.2 of Jenkins

Add Comment

[dizeee@dizeee.ru (JIRA)]

Aleksei Vesnin commented on JENKINS-57154

Re: HTTP ERROR 403 We are having the same issue, but with Role Based Authorization Strategy plugin. Only the first name is retrieved, other requests return "Problem accessing /descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName. Reason: Forbidden" and "ERROR" instead of all names. Not sure if it's relevant, but here's what we have in Jenkins log: May 08, 2019 6:59:47 PM WARNING hudson.util.Secret toStringUse of toString() on hudson.util.Secret from java.lang.String.valueOf(String.java:2994). Prefer getPlainText() or getEncryptedValue() depending your needs. see https://jenkins.io/redirect/hudson.util.Secret/ May 08, 2019 6:59:48 PM WARNING org.apache.http.client.protocol.ResponseProcessCookies processCookiesInvalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Wed, 08 May 2019 19:59:48 -0000". Invalid 'expires' attribute: Wed, 08 May 2019 19:59:48 -0000 May 08, 2019 6:59:48 PM INFO com.squareup.okhttp.internal.Platform$JdkWithJettyBootPlatform getSelectedProtocolALPN callback dropped: SPDY and HTTP/2 are disabled. Is alpn-boot on the boot class path?

Add Comment