Please use the Apache issue tracking system for new NetBeans issues ( !!
Bug 167432 - Access fails when anonymous read access is disabled
Access fails when anonymous read access is disabled
Product: connecteddeveloper
Classification: Unclassified
Component: Hudson
All All
: P2 (vote)
: 6.x
Assigned To: Jesse Glick
: 168240 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2009-06-22 00:12 UTC by kohsuke
Modified: 2009-07-16 16:36 UTC (History)
2 users (show)

See Also:
Issue Type: DEFECT

The crafted web.xml (4.97 KB, text/xml)
2009-06-22 21:52 UTC, lkishalmi

Note You need to log in before you can comment on or make changes to this bug.
Description kohsuke 2009-06-22 00:12:27 UTC
Reposted from

A Japanese Hudson developer (Seiji Sogabe) reports that the access to a Hudson where the anonymous user don't have the
read access results in a failure to retrieve data, even when the credential is given.

My hypothesis is that he's using "delegate to servlet container" security realm, which would require the login
credential to be sent to /j_security_check (as defined by the servlet spec) as opposed to /j_acegi_security_check (as
used by Acegi on all the other authentication realms.)

If there's something Hudson can do to simplify the process of programmatic login (like exposing the login URL
somewhere?), I'd be happy to do so.
Comment 1 Jesse Glick 2009-06-22 17:01:05 UTC
Currently the servlet container security realm is not supported by NetBeans. (Could be if there is sufficient interest.)
But based on the dialog shown, it looks to me like he is using an Acegi-based security realm. Not sure, will have to try
to reproduce.
Comment 2 kohsuke 2009-06-22 17:03:32 UTC
I'm requesting the original reporter to clarify the set up, so hopefully he'll be able to save you some effort.
Comment 3 lkishalmi 2009-06-22 21:49:39 UTC
Well, I've met this issue last week, and I can provide some information as well on how to set up an environment to test

We need a Glassfish 2.1, a hudson.war (1.311), a crafted web.xml and NetBeans 6.7

1. unzip hudson.war to into a separate folder
2. overwrite the web.xml in the WEB-INF/ folder in that separate folder
3. create and start a fresh Glassfish domain
4. Open its admin console in a browser
5. At Configuration > Security enable the "Default Principal to Role Mapping"
6. At Configuration > Security > Realm > file set "Assign Group" to "hudson", then press save
7. Press manage Users and add the following users: 
7.1 test_user/12345678 with group "admin"
7.2 dummy/dummy with no group assignment
8. Optional: Set the log level of the Web Container to WARNING at Application Server > Logging > Log Levels
9. At Applications > Web Applications deploy hudson from the separate folder
10. Launch hudson
11. At Manage Hudson > Configure System set the Enable Security
12. Select "Delegate to servlet container" with "Project-based Matrix Authorization Strategy"
13. Add group "admin" and grant all possible roles.
14. Add user "authenticated" and grant read rights. Leave the Anonymous user as it is.
15. Save the configuration
16. Log on as test_user to hudson
17. Create a Job "Test"
18. See how it works with NetBeans...
Comment 4 lkishalmi 2009-06-22 21:52:26 UTC
Created attachment 83896 [details]
The crafted web.xml
Comment 5 Jesse Glick 2009-06-22 22:53:13 UTC
Thank you Leslie for the detailed instructions! I can reproduce and will see if I can fix.
Comment 6 Jesse Glick 2009-06-23 00:35:02 UTC
*** Issue 166755 has been marked as a duplicate of this issue. ***
Comment 7 Jesse Glick 2009-06-23 00:41:58 UTC
I think fixed in cdev #02bb30063656. NB should now be able to authenticate:

- Hudson instances using container-based authentication (formerly only supported Acegi)

- instances for which the anonymous user does not even have read access

I would certainly appreciate testing of authentication in dev builds once this fix becomes available (a note will be
posted here automatically when that happens).
Comment 8 Quality Engineering 2009-06-23 19:10:42 UTC
Integrated into 'main-golden', will be available in build *200906231401* on (upload may still be in progress)
User: Jesse Glick <>
Log: #167432: authentication fixed to handle container-based auth, and no perms for anon.
Comment 9 lkishalmi 2009-06-24 09:55:08 UTC
Works nicely on the dev builds.
Thanks Jesse!
Comment 10 pgebauer 2009-07-02 11:25:08 UTC
The fix has been ported into the release67_fixes repository.
Comment 11 Jesse Glick 2009-07-07 19:32:37 UTC
*** Issue 168240 has been marked as a duplicate of this issue. ***

By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2014, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo