167585 – Protected jobs invisible in case anon has read access on others

This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 167585 - Protected jobs invisible in case anon has read access on others

Summary: Protected jobs invisible in case anon has read access on others

Status:	RESOLVED FIXED

Alias:	None

Product:	connecteddeveloper
Classification:	Unclassified
Component:	Hudson (show other bugs)
Version:	6.x
Hardware:	All All

Importance:	P2 blocker (vote)
Assignee:	Jesse Glick

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-06-24 11:08 UTC by lkishalmi
Modified:	2011-06-25 14:08 UTC (History)
CC List:	0 users

See Also:
Issue Type:	ENHANCEMENT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description lkishalmi 2009-06-24 11:08:40 UTC

Currently there is no possibility to force the authentication on Add Hudson Instance dialog. 
Consider the following use case:
  Hudson is secured and would use project based security matrix. For some reason the Anonymous user needs to have read
permission. In this case NetBeans hudson plugin automatically to the hudson instance as Anonymous user and there is no
possibility to see those Jobs which require some authentication.

Comment 1 Jesse Glick 2009-06-24 20:27:48 UTC

Currently the IDE only prompts for auth when it gets back a 403 from the server for some operation. (In fact it needs to
do at least one anon access so it can get a session cookie to log in to!) If $hudson/xml/api with no auth gives a 200
but an incomplete job list, that is arguably a problem in Hudson's design. Would rather have Hudson itself indicate in
the XML API that more could be seen with a login. TBD.

Comment 2 lkishalmi 2009-06-25 13:40:40 UTC

I've filed an issue with a proposed solution to Hudson.
https://hudson.dev.java.net/issues/show_bug.cgi?id=3924

Comment 3 martin.rexa 2011-06-10 09:59:45 UTC

Could IDE let user trigger authentication if he wants to (item in hudson service popup menu)?

Comment 4 Jesse Glick 2011-06-10 18:05:38 UTC

(In reply to comment #2)
> https://hudson.dev.java.net/issues/show_bug.cgi?id=3924

Now: http://issues.hudson-ci.org/browse/HUDSON-3924

(In reply to comment #3)
> Could IDE let user trigger authentication if he wants to (item in hudson
> service popup menu)?

Should be possible, I think. Would certainly prefer for Hudson to indicate that authentication is needed to see everything.

Comment 5 Jesse Glick 2011-06-10 21:33:04 UTC

Managed to write an action which lets you log in (even if Hudson does not request authentication to view any reachable page).

An outstanding problem is that if your login fails (e.g. incorrect password), it does not notice: ServletConnectionAuthenticator does not try to screen-scrape the output of /j_acegi_security_check, nor does it double-check /user/$username/configure to see if you are really logged in. Not clear if this problem can be fixed without introducing other problems in unusual setups, or if it is even worth fixing.

Comment 6 Jesse Glick 2011-06-24 21:18:17 UTC

(In reply to comment #4)
> Now: http://issues.hudson-ci.org/browse/HUDSON-3924

Implemented in Hudson 2.1.0-SNAPSHOT; still open: https://issues.jenkins-ci.org/browse/JENKINS-3924

Comment 7 Jesse Glick 2011-06-24 21:39:24 UTC

core-main #659c3ed93087

Comment 8 Quality Engineering 2011-06-25 14:08:05 UTC

Integrated into 'main-golden'
Changeset: http://hg.netbeans.org/main-golden/rev/659c3ed93087
User: Jesse Glick <jglick@netbeans.org>
Log: #167585: action to log in.
Also displaying jobs inaccessible via current authentication (where supported).