org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers

Jenkins JIRA | Tony Lee | 5 years ago
tip
Click on the to mark the solution that helps you, Samebug will learn from it.
As a community member, you’ll be rewarded for you help.
  1. 0

    Adding an AD group, e.g. ciusers on Authorization type "Project-based Matrix Authorization Strategy", throws BadCredentialsException. Issue: doCheckName_() first tries finding a user and this fails and throws the BadCredentialsException. The function doCheckName_() then tries loadGroupByGroupName() which is throwing UserMayOrMayNotExistException right away. Function doCheckName_() uses SecurityRealm.loadGroupByGroupName() instead of LDAPSecurityRealm.loadGroupByGroupName(). Snippet of loadGroupByGroupname() from the SecurityRealm class. public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException { throw new UserMayOrMayNotExistException(groupname); } Snippet of loadGroupByGroupname() from the LDAPSecurityRealm class. public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException { // TODO: obtain a DN instead so that we can obtain multiple attributes later String searchBase = groupSearchBase != null ? groupSearchBase : ""; final Set<String> groups = (Set<String>)ldapTemplate.searchForSingleAttributeValues(searchBase, GROUP_SEARCH, new String[]{groupname}, "cn"); if(groups.isEmpty()) throw new UsernameNotFoundException(groupname); return new GroupDetails() { public String getName() { return groups.iterator().next(); } }; } Snippet of doCheckName_(): public FormValidation doCheckName_(String value, AccessControlled subject, Permission permission) throws IOException, ServletException { if(!subject.hasPermission(permission)) return FormValidation.ok(); // can't check final String v = value.substring(1,value.length()-1); SecurityRealm sr = Jenkins.getInstance().getSecurityRealm(); String ev = Functions.escape(v); if(v.equals("authenticated")) // system reserved group return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); try { sr.loadUserByUsername(v); return FormValidation.respond(Kind.OK, makeImg("person.png")+ev); } catch (UserMayOrMayNotExistException e) { // undecidable, meaning the user may exist return FormValidation.respond(Kind.OK, ev); } catch (UsernameNotFoundException e) { // fall through next } catch (DataAccessException e) { // fall through next } try { sr.loadGroupByGroupname(v); return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); } catch (UserMayOrMayNotExistException e) { // undecidable, meaning the group may exist return FormValidation.respond(Kind.OK, ev); } catch (UsernameNotFoundException e) { // fall through next } catch (DataAccessException e) { // fall through next } // couldn't find it. it doesn't exist return FormValidation.respond(Kind.ERROR, makeImg("error.png") +ev); } Stack trace snippet: Failed to test the validity of the user name ciusers org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)

    Jenkins JIRA | 5 years ago | Tony Lee
    org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers
  2. 0

    Adding an AD group, e.g. ciusers on Authorization type "Project-based Matrix Authorization Strategy", throws BadCredentialsException. Issue: doCheckName_() first tries finding a user and this fails and throws the BadCredentialsException. The function doCheckName_() then tries loadGroupByGroupName() which is throwing UserMayOrMayNotExistException right away. Function doCheckName_() uses SecurityRealm.loadGroupByGroupName() instead of LDAPSecurityRealm.loadGroupByGroupName(). Snippet of loadGroupByGroupname() from the SecurityRealm class. public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException { throw new UserMayOrMayNotExistException(groupname); } Snippet of loadGroupByGroupname() from the LDAPSecurityRealm class. public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException { // TODO: obtain a DN instead so that we can obtain multiple attributes later String searchBase = groupSearchBase != null ? groupSearchBase : ""; final Set<String> groups = (Set<String>)ldapTemplate.searchForSingleAttributeValues(searchBase, GROUP_SEARCH, new String[]{groupname}, "cn"); if(groups.isEmpty()) throw new UsernameNotFoundException(groupname); return new GroupDetails() { public String getName() { return groups.iterator().next(); } }; } Snippet of doCheckName_(): public FormValidation doCheckName_(String value, AccessControlled subject, Permission permission) throws IOException, ServletException { if(!subject.hasPermission(permission)) return FormValidation.ok(); // can't check final String v = value.substring(1,value.length()-1); SecurityRealm sr = Jenkins.getInstance().getSecurityRealm(); String ev = Functions.escape(v); if(v.equals("authenticated")) // system reserved group return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); try { sr.loadUserByUsername(v); return FormValidation.respond(Kind.OK, makeImg("person.png")+ev); } catch (UserMayOrMayNotExistException e) { // undecidable, meaning the user may exist return FormValidation.respond(Kind.OK, ev); } catch (UsernameNotFoundException e) { // fall through next } catch (DataAccessException e) { // fall through next } try { sr.loadGroupByGroupname(v); return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); } catch (UserMayOrMayNotExistException e) { // undecidable, meaning the group may exist return FormValidation.respond(Kind.OK, ev); } catch (UsernameNotFoundException e) { // fall through next } catch (DataAccessException e) { // fall through next } // couldn't find it. it doesn't exist return FormValidation.respond(Kind.ERROR, makeImg("error.png") +ev); } Stack trace snippet: Failed to test the validity of the user name ciusers org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)

    Jenkins JIRA | 5 years ago | Tony Lee
    org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers

    Root Cause Analysis

    1. org.acegisecurity.BadCredentialsException

      Authentication was successful but cannot locate the user information for ciusers

      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser()
    2. hudson.plugins.active_directory
      ActiveDirectorySecurityRealm.loadUserByUsername
      1. hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147)
      2. hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105)
      3. hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64)
      4. hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23)
      5. hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514)
      5 frames
    3. Hudson
      GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName
      1. hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303)
      2. hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)
      2 frames