Robert is correct - when delegating you are entirely subject to authentication against the container. Jenkins handles no part of authentication in this situation. It only handles authorization via roles/groups which you sometimes have to tell the container to map. For example, you have a user scott defined in tomcat-users.xml. scott is a member of admin role (also defined in tomcat-users.xml). You should have no problems authenticating scott against the container trouble is telling the container that it's 'admin' role means the same 'admin' group in the jenkins app deployed in it. Until you do that scott cannot log into jenkins.
It has been a while since I dealt with tomcat. In weblogic, for example, you would pick the combination deployment descriptors and container security policy then create either per-app or global role to group mappings. I am sure there is some sort of tomcat equivalent. Tomcat may just do this auto-magically. In fact, according to [1] it looks like it may 'just work' with only what is in tomcat-users.xml. [1] https://wiki.jenkins-ci.org/display/JENKINS/Tomcat On Jun 3, 2014 3:52 AM, "Sandell, Robert" <[email protected]> wrote: > Jenkins has a servlet filter [1] that last time I checked accepts http > basic auth. But I'm not sure how/if this works when delegating to the > servlet container, you'd probably need to authenticate the way the > container dictates in that case. > > > > [1] > https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/security/HudsonFilter.java > > > > > > *Robert Sandell* > > Software Tools Engineer - SW Environment and Product Configuration > > Sony Mobile Communications > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Scott Cowan > *Sent:* den 2 juni 2014 21:54 > *To:* [email protected] > *Subject:* form-based auth script > > > > I've followed the "Java example with httpclient 4.1.2" section of > https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients > and been able to successfully authenticate a client with a Jenkins deployed > in Winstone, but I haven't been able to do so when it's deployed in Tomcat > and access control is "Delegate to servlet container". A GET on " > http://localhost:8080/jenkins"; with user/pass in basic auth scheme > returns a "HTTP/1.1 500 Internal Server Error" with the explanation, > "anonymous is missing the Overall/Read permission". I've enabled > "Matrix-based security" and given no permissions to Anonymous. > > I noticed the auth-method in the jenkins web.xml is FORM, whether deployed > in Winstone or Tomcat. Can a client authenticate with this configuration? > Can a client negotiate a form-based authentication some how? Does anyone > have an example script to do this? > > Thanks in advance, > Scott > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
