Using existing basic http authentication for jenkins

506 views
Skip to first unread message

Hans Loeblich

unread,
Apr 25, 2011, 2:11:03 PM4/25/11
to jenkins...@googlegroups.com
Hello,

I'm setting up Jenkins for the first time and had a question about how
to set up security/authentication.

I already have basic HTTP authentication set up for my SVN server
through apache, and I was wondering if I can make hudson share that
existing authentication information. IT/admin is not really my primary
line of work so I'm not all that familiar with this stuff, I originally
just followed the detailed instructions in the SVN redbook for setting
up HTTP authentication through Apache. Does anyone know what I would
need to do to have hudson use the same authentication?

Thank you,
Hans

Vojtech Juranek

unread,
Apr 25, 2011, 5:53:44 PM4/25/11
to jenkins...@googlegroups.com
Hi,
this could help you:
https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security

Hans Loeblich

unread,
Apr 29, 2011, 6:37:46 PM4/29/11
to jenkins...@googlegroups.com
Thanks I didn't see that page before.

I was able to get Jenkins running behing apache using the first
"mod_proxy" example here.
https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache

Then I loosely followed the "Apache authentication against .htpassword"
section on the page you linked:
https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security

I say loosely because I didn't use the AJP method, and mod_proxy
instructions did not say anything about setting up a Virtual Host.

It seems to work now, it asks for username pass when accessing jenkins.
However, I was hoping that after authenticating, Jenkins could know who
was logged in, so that when I start a build, it puts my username instead
of "anonymous". Is this possible at all when using apache for
authentication in this manner?

Here is what I ended up adding to my apache2.conf:

ProxyPass /build http://localhost:8081/build
ProxyPassReverse /build http://localhost:8081/build
ProxyRequests Off

# Local reverse proxy authorization override
# Most unix distribution deny proxy by default (ie
/etc/apache2/mods-enabled/proxy.conf in Ubuntu)
<Proxy http://localhost:8081/build*>
Order deny,allow
Allow from all
</Proxy>

<Location /build>
AuthType basic
AuthName "Jenkins"
AuthUserFile "/etc/subversion/passwd"
Require valid-user
</Location>

Hans Loeblich

unread,
May 3, 2011, 12:11:31 PM5/3/11
to jenkins...@googlegroups.com
I'm having some more issues with the authentication. After adding
authentication to the master, I am no longer able to get my Windows
slave to connect.

I tried uninstalling the service, and relaunching from the windows slave
via JNLP. It prompts me for the login/pass and then throws an NPE.

Is this a bug, or something I have configured incorrectly? Also, is
there a reason the debug info is stripped out? I'm not even sure where
this exception is coming from, the slave.jar? Do I have to build my own
to enable debugging(line numbers in stacktrace)?

The error messages I see are displayed below:

Unable to launch the application.
Name: Slave Agent for WindowsBuild
Publisher: Jenkins Project
From: http://jenkinsmaster

Exception:
java.lang.NullPointerException
at
com.sun.javaws.security.SigningInfo.getCommonCodeSignersForJar(Unknown
Source)
at com.sun.javaws.security.SigningInfo.check(Unknown Source)
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown
Source)
at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Launch File:
<jnlp spec="1.0+"
codebase="http://username:password@jenkinsmaster/build/computer/WindowsBuild/"><information><title>Slave
Agent for WindowsBuild</title><vendor>Jenkins project</vendor><homepage
href="https://jenkins-ci.org/"/></information><security><all-permissions/></security><resources><j2se
version="1.5+"/><jar
href="http://username:password@jenkinsmaster/build/jnlpJars/remoting.jar"/><property
name="hudson.showWindowsServiceInstallLink"
value="true"/></resources><application-desc
main-class="hudson.remoting.jnlp.Main"><argument>20651727aa2f2c2a0d60464e522a7871496c6889db24d126381ab1db10885b1b</argument><argument>WindowsBuild</argument><argument>-url</argument><argument>http://username:password@jenkinsmaster/build/</argument><argument>-url</argument><argument>http://localhost:8081/build/</argument></application-desc></jnlp>

Hans Loeblich

unread,
May 3, 2011, 6:31:54 PM5/3/11
to jenkins...@googlegroups.com
Figured this out just in case anyone wants to know.

I just set an exception for the slave server, so that it doesn't require
authentication when coming from that hostname.
This documentation helped show how to do that:
http://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements

I am still curious about what I asked in a previous email, if it's
possible to integrate the Apache authentication such that Jenkins knows
who is logged in. So that builds' "started by user ____" will be filled
in, etc. If anyone can chime in regarding that, I would appreciate it.

Thanks,
Hans

Reply all
Reply to author
Forward
0 new messages