[JIRA] (JENKINS-57154) Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

[rcampbell@cloudbees.com (JIRA)]

Ryan Campbell updated an issue

Jenkins / JENKINS-57154 Regression in github-oauth-plugin 0.32 breaks /configureSecurity page Change By: Ryan Campbell Summary: HTTP ERROR 403 Regression in github-oauth-plugin 0.32 breaks /configureSecurity page Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[bot.github@meterian.io (JIRA)]

Meterian Bot commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page Same here. Very frustrating as v0.31 is affected by this vulnerability: https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443

Add Comment

[bot.github@meterian.io (JIRA)]

Meterian Bot edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Same here. Very frustrating as v0.31 is affected by this vulnerability:

[ https://jenkins.io/security/advisory/2019-04-30/#SECURITY-443 ] But downgrading to 0.31 gives us back a configuration page that you can save

Add Comment

[meccatol@gmail.com (JIRA)]

Hyungsung Kim commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

we've also had same issues. we've lost all authentication info with 0.32 ver, and we have to downgrade to 0.31. please fix this asap!

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

We upgraded to `0.32` on jenkins ver 2.176.1 and experience this issue. Can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade.    What is the workaround?

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

We upgraded to `0.32` on jenkins ver 2.176.1 and experience this issue.

Can We can 't edit global settings, security settings, security permissions on jobs or even edit workspace permissions.

I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade.    What is the workaround?

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

We upgraded to `0.32` on jenkins ver 2.176.1 and experience this issue.

We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions.

I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required.

We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions.

What is the workaround?

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

We upgraded to `0.32` on jenkins ver 2.176.1 and experience this issue.

I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required.

We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions.

What is the Is there a workaround?

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

We upgraded to `0.32` on jenkins ver 2.176.1 and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required.

We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions.  "No valid crumb was included in the request" errors all around Is there a workaround?

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` on jenkins ver 2.176.1 github oauth and experience this issue.

I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue.

I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Restarted Jenkins after "downgrading" to 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley updated an issue

Jenkins / JENKINS-57154

Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Change By: Jon Kelley Priority: Major Critical

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Restarted Jenkins after "downgrading" to 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `{{d-Dhudson.security.csrf.GlobalCrumbIssuerConfiguration=false` }}but that is a really bad idea with the oauth integration and in general. Deleting element <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"> in config.xml might be an option too for disabling CSRF. We can't do it via global security settings because of this bug.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?     [EDIT] Restarted Jenkins after "downgrading" to 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option ` \

{{d-Dhudson.security.csrf.GlobalCrumbIssuerConfiguration=false` }}but that is a really bad idea with the oauth integration and in general. Deleting element <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"> in config.xml might be an option too also for disabling CSRF. We can't do it via global security settings because of this bug.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to major if you don't mind.  Restarted Jenkins after "downgrading" to  github-oauth 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `\{{d-Dhudson.security.csrf.GlobalCrumbIssuerConfiguration=false` }}but that is a really bad idea with the oauth integration and in general. Deleting element <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"> in config.xml might be an option also for disabling CSRF. We can't do it via global security settings because of this bug.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to major if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option ` \{{d-Dhudson hudson .security.csrf.GlobalCrumbIssuerConfiguration=false` }} but that is a really bad idea with the oauth integration and in general.

Deleting element <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"> in config.xml might be an option also for disabling CSRF. We can't do it via global security settings because of this bug.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to major CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and in general.

Deleting element <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"> in config.xml might be an option also for disabling CSRF. We can't do it via global security settings because of this bug.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and in general always .

Deleting element <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"> in config.xml might be an option also for disabling CSRF. We can't do it via global security settings because of this bug.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always.

Deleting element <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"> in config.xml might be an option also for disabling CSRF. We can't do it via global security settings because of this bug.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth `0.32`, we have no workarounds to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth  ` 0.32 ` , we have no workarounds workaround to resolve this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. I clicked downgrade to `0.29` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround to resolve for this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue.

I clicked downgrade to ` (Previous: 0.29 ` and it said success, yet it still says `0.32` is installed and we lost the option to downgrade. The plugin said a restart wasn't required. worked)

We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround for this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. (Previous: 0.29 worked)

We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?     [EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround for this bug. We may be able to force CSRF disabled in Jenkins v2 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue.

Thanks guys, CSRF implementations are never fun. :)

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. (Previous: 0.29 worked) We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround for this bug. We may be able to force CSRF disabled in Jenkins v2 .176.1  by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue.

Thanks guys, CSRF implementations are never fun. :)

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. (Previous: 0.29 worked) We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. "No valid crumb was included in the request" errors all around Is there a workaround?

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround for this bug. We may be able to force CSRF disabled in Jenkins v2.176.1 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue. Thanks guys, CSRF implementations are never fun. :)  Hope a fix is found soon.

Add Comment

[jonkelley@gmail.com (JIRA)]

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jenkins ver 2.176.1 We upgraded to `0.32` github oauth and experience this issue. (Previous: 0.29 worked)

We can't edit global settings, security settings, security permissions on jobs or even edit workspace permissions. " * No valid crumb was included in the request * " errors all around is our life now.

[EDIT] Upgrading this bug to CRITICAL if you don't mind. Restarted Jenkins after "downgrading" to github-oauth 0.29 and we are still on github-oauth 0.32, we have no workaround for this bug. We may be able to force CSRF disabled in Jenkins v2.176.1 by setting java startup option `hudson.security.csrf.GlobalCrumbIssuerConfiguration=false` but that is a really bad idea with the oauth integration and always. That is why prioritization is critical on this issue. Thanks guys, CSRF implementations are never fun. :) Hope a fix is found soon.

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

A strange update, the problems have mysteriously disappeared in my chrome console (was getting 403 forbidden for field element lookups etc) and I can edit the settings I couldn't before! My version still is `0.32` as if it failed to downgrade but the problem has mysteriously self-resolved on my end. ¯_(ツ)_/¯

Add Comment

[jonkelley@gmail.com (JIRA)]

Jon Kelley edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

A strange update, the problems have mysteriously disappeared in my chrome console (was getting 403 forbidden for field element lookups etc) and I can edit the settings I couldn't before! My version still is `0.32` as if it failed to downgrade but the problem has mysteriously self-resolved on my end. ¯ \ _(ツ)_/¯     If restarting Jenkins helped it should have been immediately apparent.

Add Comment

[shamil.si@gmail.com (JIRA)]

Alex Simenduev commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

We are using "Role Based Authorization Strategy" plugin, and experiencing same issue.  Is there any known workaround? Downgrading is problematic for us due to security implications.

Add Comment

[docwhat@gerf.org (JIRA)]

Christian Höltje commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

I have the same issue. To reproduce: Goto $JENKINS_URL/manage Goto $JENKINS_URL/configureSecurity Press "Reload" or click the "Configure Global Security" and you get a traceback saying anonymous doesn't have the right permissions. If you get the "Retry with POST" page and you look at the networking console, you'll see that it actually re-logged you in by visiting github and coming back. That's why the POST got converted to a GET. As above, I get these log entries everytime: Jul 18, 2019 11:20:33 AM hudson.util.Secret toString WARNING: Use of toString() on hudson.util.Secret from java.lang.String.valueOf(String.java:2994). Prefer getPlainText() or getEncryptedValue() depending your needs. see https://jenkins.io/redirect/hudson.util.Secret/ Jul 18, 2019 11:20:34 AM org.apache.http.client.protocol.ResponseProcessCookies processCookies WARNING: Invalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Thu, 18 Jul 2019 16:20:34 -0000". Invalid 'expires' attribute: Thu, 18 Jul 2019 16:20:34 -0000 This is the full traceback mentioned above: org.apache.commons.jelly.JellyTagException: jar:file:/var/lib/jenkins/war/WEB-INF/lib/jenkins-core-2.176.2.jar!/lib/layout/view.jelly:39:20: <d:invokeBody> anonymous is missing the Overall/Administer permission at org.apache.commons.jelly.impl.TagScript.handleException(TagScript.java:726) at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:281) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.tags.core.CoreTagLibrary$2.run(CoreTagLibrary.java:105) at org.kohsuke.stapler.jelly.CallTagLibScript.run(CallTagLibScript.java:120) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.tags.core.CoreTagLibrary$2.run(CoreTagLibrary.java:105) at org.kohsuke.stapler.jelly.CallTagLibScript.run(CallTagLibScript.java:120) at org.kohsuke.stapler.jelly.groovy.JellyBuilder.doInvokeMethod(JellyBuilder.java:276) at org.kohsuke.stapler.jelly.groovy.Namespace$ProxyImpl.invoke(Namespace.java:92) at com.sun.proxy.$Proxy108.layout(Unknown Source) at lib.LayoutTagLib$layout.call(Unknown Source) at hudson.security.GlobalSecurityConfiguration.index.run(index.groovy:15) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:74) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:62) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:63) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:53) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:56) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:43) at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:282) at org.kohsuke.stapler.jelly.groovy.GroovyFacet.handleIndexRequest(GroovyFacet.java:93) at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:32) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:456) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:502) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) at java.lang.Thread.run(Thread.java:748) Caused by: hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:73) at hudson.security.AccessControlled.checkPermission(AccessControlled.java:47) at hudson.Functions.checkPermission(Functions.java:771) at hudson.Functions.checkPermission(Functions.java:791) at sun.reflect.GeneratedMethodAccessor1836.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.commons.jexl.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:258) at org.apache.commons.jexl.parser.ASTMethod.execute(ASTMethod.java:104) at org.apache.commons.jexl.parser.ASTReference.execute(ASTReference.java:83) at org.apache.commons.jexl.parser.ASTReference.value(ASTReference.java:57) at org.apache.commons.jexl.parser.ASTReferenceExpression.value(ASTReferenceExpression.java:51) at org.apache.commons.jexl.ExpressionImpl.evaluate(ExpressionImpl.java:80) at hudson.ExpressionFactory2$JexlExpression.evaluate(ExpressionFactory2.java:74) at org.apache.commons.jelly.parser.EscapingExpression.evaluate(EscapingExpression.java:24) at org.apache.commons.jelly.impl.ExpressionScript.run(ExpressionScript.java:66) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.ReallyStaticTagLibrary$1.run(ReallyStaticTagLibrary.java:99) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.ReallyStaticTagLibrary$1.run(ReallyStaticTagLibrary.java:99) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.kohsuke.stapler.jelly.CallTagLibScript$1.run(CallTagLibScript.java:99) at org.apache.commons.jelly.tags.define.InvokeBodyTag.doTag(InvokeBodyTag.java:91) at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:269) ... 100 more Caused: java.lang.RuntimeException at org.kohsuke.stapler.jelly.groovy.JellyBuilder.doInvokeMethod(JellyBuilder.java:280) at org.kohsuke.stapler.jelly.groovy.Namespace$ProxyImpl.invoke(Namespace.java:92) at com.sun.proxy.$Proxy108.layout(Unknown Source) at lib.LayoutTagLib$layout.call(Unknown Source) at hudson.security.GlobalSecurityConfiguration.index.run(index.groovy:15) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:74) at org.kohsuke.stapler.jelly.groovy.GroovierJellyScript.run(GroovierJellyScript.java:62) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:63) at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:53) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:56) at org.kohsuke.stapler.jelly.ScriptInvoker.execute(ScriptInvoker.java:43) at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:282) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Facet.handleIndexRequest(Facet.java:285) at org.kohsuke.stapler.jelly.groovy.GroovyFacet.handleIndexRequest(GroovyFacet.java:93) at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:32) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:456) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at org.jenkinsci.plugins.modernstatus.ModernStatusFilter.doFilter(ModernStatusFilter.java:52) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1701) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1668) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:502) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) at java.lang.Thread.run(Thread.java:748)

Add Comment

[docwhat@gerf.org (JIRA)]

Christian Höltje commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Doing some googling... The has_recent_activity=1 cookie seems to be coming from GitHub. I suspect that the cookie parser being used by Jenkins is broken.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

I've tried a couple of ways to reproduce this locally and I'm not able to reproduce it locally.  I configured plugin 0.31 and upgraded to 0.32 with no problems.  I'll try another fresh install and use 0.29 since I see others reporting they're upgrading from that version.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Okay I was able to replicate the issue.  Replication steps: Have two GitHub users.  githubadmin and githubuser for example where githubadmin is a Jenkins admin and github user is a non-admin user in Jenkins. Have both users log in and authorize with GitHub OAuth. Configure project-based matrix authorization and add Overall:Read to githubuser and Overall:Administer to githubadmin. IMPORTANT: On githubuser log into GitHub settings and de-authorize the OAuth app.  This means Jenkins will have a token for the user but it won't be valid because the user de-authorized the app. Using githubadmin I visited the configureSecurity page in Jenkins and got the following stack trace. githubuser (name changed intentionally to be generic) java.lang.NullPointerException at org.jenkinsci.plugins.GithubAuthenticationToken.<init>(GithubAuthenticationToken.java:205) at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:700) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:140) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145) at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:280) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1700) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1667) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:505) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804) at java.lang.Thread.run(Thread.java:748)

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske edited a comment on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Okay I was able to replicate the issue.  Replication steps:

# Have two GitHub users.  githubadmin and githubuser for example where githubadmin is a Jenkins admin and github user is a non-admin user in Jenkins. # Have both users log in and authorize with GitHub OAuth. # Configure project-based matrix authorization and add Overall:Read to githubuser and Overall:Administer to githubadmin. # IMPORTANT: On githubuser log into GitHub settings and de-authorize the OAuth app.  This means Jenkins will have a token for the user but it won't be valid because the user de-authorized the app. # Using githubadmin I visited the configureSecurity page in Jenkins and got the following stack trace. {noformat}

{noformat} The root cause lies within impersonate.  When users are validated it doesn't use the admin token.  Instead, it attempts to use the token for each individual user in the project-based matrix authorization form. I'll need to investigate the fix but have identified the root cause.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

https://github.com/jenkinsci/github-oauth-plugin/blob/github-oauth-0.32/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java#L694-L700 is the problematic section of code

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

This seems to have been caused by https://github.com/jenkinsci/github-oauth-plugin/pull/109 However, PR 109 is pretty important for how impersonation works. Need to figure out a happy medium.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Here's the fix https://github.com/jenkinsci/github-oauth-plugin/pull/115

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske started work on JENKINS-57154

Change By: Sam Gleske Status: Open In Progress

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/github-oauth/0.33/github-oauth-0.33.hpi has been release and I verified the fix by upgrading locally to the new version. It should be available in the update center in roughly 8 hours or so.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske resolved as Fixed

Jenkins / JENKINS-57154

Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Change By: Sam Gleske Status: In Progress Resolved Resolution: Fixed Released As: 0.33

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske updated an issue

Jenkins / JENKINS-57154 Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Change By: Sam Gleske Released As: github-oauth- 0.33

Add Comment

[jon_cormier@yahoo.com (JIRA)]

Jon Cormier commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page I installed 0.33 and the problem no longer appears for me. Thanks Sam Gleske

Add Comment

[sims@republicwireless.com (JIRA)]

Steve Ims commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

0.33 working for me too.  Thanks Sam Gleske !

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-57154

Re: Regression in github-oauth-plugin 0.32 breaks /configureSecurity page

Jon Cormier Steve Ims no problem; thanks for reporting back your own testing results since it helps me validate the solution was a fix.

Add Comment