403 on Jenkins with Authentication
Brought to you by:
erikd
Menu
▾
▴
#27 403 on Jenkins with Authentication
I really love CCMenu, although for some reason I cannot connect it to my work's Jenkins. The cc.xml is behind Jenkin's authentication, although when I put in the right credentials I simply receive back a 403. The odd thing is, when I simply apply the same credentials via basic HTTP auth using curl I receive the cc.xml.
I am unsure why this is the case?
To be honest, I'm not sure either. CCMenu uses the normal OS X library to make HTTP requests. There was a bug a while ago where the library would negotiate a stronger authentication, for which the credentials failed. This has been fixed, though, by telling the library not to use anything but Basic and Digest auth. Given that Safari is likely to use the same libraries, can you try in Safari?
I might be doing this wrong.
Using the following format: https://username:password@ciserver.com/cc.xml in either Chrome or Safari will just redirect to the login page for Jenkins. Is that what you meant by trying it in Safari?
What happens when you try to connect to https://ciserver.com/cc.xml in Safari? Do you get a dialog box asking for credentials?
So what happens in both Chrome and Safari is that the browser will redirect to: https://ciserver.com/login?from=%2Fcc.xml
No dialog box asking for credentials.
@erikd, any more suggestions, or would this be an issue in the auth aspect of CCMenu?
(Apologies, missed the notification mails from SF.) Either way, it looks like the server requires authentication for the cc.xml file. Unfortunately, the server does not use HTTP authentication but seems to redirect to an HTML login page, which is more aimed at humans. Tools like CCMenu can't really deal well with HTML login pages. Can you ask the server admin to either exclude cc.xml from authentication or to put it behind HTTP authentication? Redirecting to a HTML login page will not work.
Last edit: Erik Doernenburg 2014-06-24
I'm having the same issue. The request to Jenkins is successful if basic authentication is sent with the initial request (e.g. curl -u user:password jenkinsserver.com). The "redirect" when in a request is sent in Chrome/Firefox is due to javascript that is returned in the body of the 403 response. For some reason, the Authentication header is not being sent with the initial request made by CCMenu. Maybe the library is expecting a challenge/response (with the initial request returning a 401 instead of a 403)? Is there any way to force it to send the Authentication header with the initial request?
I think it is expecting the challenge/response version of basic auth. There are some more details here: http://stackoverflow.com/questions/501231/can-i-use-nsurlcredentialstorage-for-http-basic-authentication
Can anyone please confirm whether newer versions of CCMenu fix this problem. The implementation does support HTTP Basic Auth using the standard NSURL library calls. It should all just work. If it doesn't please open a new issue over at Github: https://github.com/erikdoe/ccmenu/issues
I cannot test this anymore as we simply moved the cc.xml outside of the authentication wall. I do appreciate the work you put on it though and I hope someone else can verify that it works now.
Thanks for getting back to me. In the meantime I've set up Jenkins locally and I can reproduce the problem.
It's very annoying that Jenkins uses a 403 status with an HTML-based redirect for a resource that is intended to be consumed not by people but by tools.
Now that I can reproduce the issue, and people over on Github found out how to work with Jenkins' authentication, I'll add a special Jenkins workaround.