Thank you Robert and Ben for your tips. This is the closest I've been able to come to reproducing the form-based authentication captured with wireshark.
curl -v -c cookies.txt http://localhost:8080/jenkins/ 200 OK curl -v -c cookies.txt -b cookies.txt http://localhost:8080/jenkins/loginEntry?from=%2Fjenkins%2F 200 OK curl -v -c cookies.txt -b cookies.txt -H "Referer: http://localhost:8080/jenkins/loginEntry?from=%2Fjenkins%2F\r\n"; -d "j_username=admin&j_password=admin" http://localhost:8080/jenkins/j_security_check 302 Found curl -v -c cookies.txt -b cookies.txt -X POST http://localhost:8080/jenkins/job/test/build?delay=0sec 403 Forbidden (authenticated as anonymous) So, I'm unsure if my POST to j_security_check didn't work, or if the roles in my tomcat-users.xml aren't being mapped auto-magically. I've read through some tomcat docs (http://tomcat.apache.org/tomcat-7.0-doc/), but I'm really not sure what I'm looking for. Scott tomcat-users.xml ... <role rolename="admin"/> <user username="admin" password="admin" roles="manager-gui,admin"/> ... In Jenkins' Configure Global Security > Access Control > Authorization > Matrix-based security, the admin user has every authorization checked. On Wednesday, June 4, 2014 8:54:36 PM UTC-4, Ben Castellucci wrote: > > Robert is correct - when delegating you are entirely subject to > authentication against the container. Jenkins handles no part of > authentication in this situation. It only handles authorization via > roles/groups which you sometimes have to tell the container to map. For > example, you have a user scott defined in tomcat-users.xml. scott is a > member of admin role (also defined in tomcat-users.xml). You should have no > problems authenticating scott against the container trouble is telling the > container that it's 'admin' role means the same 'admin' group in the > jenkins app deployed in it. Until you do that scott cannot log into jenkins. > > It has been a while since I dealt with tomcat. In weblogic, for example, > you would pick the combination deployment descriptors and container > security policy then create either per-app or global role to group > mappings. I am sure there is some sort of tomcat equivalent. Tomcat may > just do this auto-magically. In fact, according to [1] it looks like it may > 'just work' with only what is in tomcat-users.xml. > > [1] https://wiki.jenkins-ci.org/display/JENKINS/Tomcat > On Jun 3, 2014 3:52 AM, "Sandell, Robert" <[email protected] > <javascript:>> wrote: > >> Jenkins has a servlet filter [1] that last time I checked accepts http >> basic auth. But I’m not sure how/if this works when delegating to the >> servlet container, you’d probably need to authenticate the way the >> container dictates in that case. >> >> >> >> [1] >> https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/security/HudsonFilter.java >> >> >> >> >> >> *Robert Sandell* >> >> Software Tools Engineer - SW Environment and Product Configuration >> >> Sony Mobile Communications >> >> >> >> *From:* [email protected] <javascript:> [mailto: >> [email protected] <javascript:>] *On Behalf Of *Scott Cowan >> *Sent:* den 2 juni 2014 21:54 >> *To:* [email protected] <javascript:> >> *Subject:* form-based auth script >> >> >> >> I've followed the "Java example with httpclient 4.1.2" section of >> https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients >> and been able to successfully authenticate a client with a Jenkins deployed >> in Winstone, but I haven't been able to do so when it's deployed in Tomcat >> and access control is "Delegate to servlet container". A GET on " >> http://localhost:8080/jenkins"; with user/pass in basic auth scheme >> returns a "HTTP/1.1 500 Internal Server Error" with the explanation, >> "anonymous is missing the Overall/Read permission". I've enabled >> "Matrix-based security" and given no permissions to Anonymous. >> >> I noticed the auth-method in the jenkins web.xml is FORM, whether >> deployed in Winstone or Tomcat. Can a client authenticate with this >> configuration? Can a client negotiate a form-based authentication some >> how? Does anyone have an example script to do this? >> >> Thanks in advance, >> Scott >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
