org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers

Jenkins JIRA | Tony Lee | 5 years ago
  1. 0

    Adding an AD group, e.g. ciusers on Authorization type "Project-based Matrix Authorization Strategy", throws BadCredentialsException. Issue: doCheckName_() first tries finding a user and this fails and throws the BadCredentialsException. The function doCheckName_() then tries loadGroupByGroupName() which is throwing UserMayOrMayNotExistException right away. Function doCheckName_() uses SecurityRealm.loadGroupByGroupName() instead of LDAPSecurityRealm.loadGroupByGroupName(). Snippet of loadGroupByGroupname() from the SecurityRealm class. public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException { throw new UserMayOrMayNotExistException(groupname); } Snippet of loadGroupByGroupname() from the LDAPSecurityRealm class. public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException { // TODO: obtain a DN instead so that we can obtain multiple attributes later String searchBase = groupSearchBase != null ? groupSearchBase : ""; final Set<String> groups = (Set<String>)ldapTemplate.searchForSingleAttributeValues(searchBase, GROUP_SEARCH, new String[]{groupname}, "cn"); if(groups.isEmpty()) throw new UsernameNotFoundException(groupname); return new GroupDetails() { public String getName() { return groups.iterator().next(); } }; } Snippet of doCheckName_(): public FormValidation doCheckName_(String value, AccessControlled subject, Permission permission) throws IOException, ServletException { if(!subject.hasPermission(permission)) return FormValidation.ok(); // can't check final String v = value.substring(1,value.length()-1); SecurityRealm sr = Jenkins.getInstance().getSecurityRealm(); String ev = Functions.escape(v); if(v.equals("authenticated")) // system reserved group return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); try { sr.loadUserByUsername(v); return FormValidation.respond(Kind.OK, makeImg("person.png")+ev); } catch (UserMayOrMayNotExistException e) { // undecidable, meaning the user may exist return FormValidation.respond(Kind.OK, ev); } catch (UsernameNotFoundException e) { // fall through next } catch (DataAccessException e) { // fall through next } try { sr.loadGroupByGroupname(v); return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); } catch (UserMayOrMayNotExistException e) { // undecidable, meaning the group may exist return FormValidation.respond(Kind.OK, ev); } catch (UsernameNotFoundException e) { // fall through next } catch (DataAccessException e) { // fall through next } // couldn't find it. it doesn't exist return FormValidation.respond(Kind.ERROR, makeImg("error.png") +ev); } Stack trace snippet: Failed to test the validity of the user name ciusers org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)

    Jenkins JIRA | 5 years ago | Tony Lee
    org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers
  2. 0

    Adding an AD group, e.g. ciusers on Authorization type "Project-based Matrix Authorization Strategy", throws BadCredentialsException. Issue: doCheckName_() first tries finding a user and this fails and throws the BadCredentialsException. The function doCheckName_() then tries loadGroupByGroupName() which is throwing UserMayOrMayNotExistException right away. Function doCheckName_() uses SecurityRealm.loadGroupByGroupName() instead of LDAPSecurityRealm.loadGroupByGroupName(). Snippet of loadGroupByGroupname() from the SecurityRealm class. public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException { throw new UserMayOrMayNotExistException(groupname); } Snippet of loadGroupByGroupname() from the LDAPSecurityRealm class. public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException { // TODO: obtain a DN instead so that we can obtain multiple attributes later String searchBase = groupSearchBase != null ? groupSearchBase : ""; final Set<String> groups = (Set<String>)ldapTemplate.searchForSingleAttributeValues(searchBase, GROUP_SEARCH, new String[]{groupname}, "cn"); if(groups.isEmpty()) throw new UsernameNotFoundException(groupname); return new GroupDetails() { public String getName() { return groups.iterator().next(); } }; } Snippet of doCheckName_(): public FormValidation doCheckName_(String value, AccessControlled subject, Permission permission) throws IOException, ServletException { if(!subject.hasPermission(permission)) return FormValidation.ok(); // can't check final String v = value.substring(1,value.length()-1); SecurityRealm sr = Jenkins.getInstance().getSecurityRealm(); String ev = Functions.escape(v); if(v.equals("authenticated")) // system reserved group return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); try { sr.loadUserByUsername(v); return FormValidation.respond(Kind.OK, makeImg("person.png")+ev); } catch (UserMayOrMayNotExistException e) { // undecidable, meaning the user may exist return FormValidation.respond(Kind.OK, ev); } catch (UsernameNotFoundException e) { // fall through next } catch (DataAccessException e) { // fall through next } try { sr.loadGroupByGroupname(v); return FormValidation.respond(Kind.OK, makeImg("user.png") +ev); } catch (UserMayOrMayNotExistException e) { // undecidable, meaning the group may exist return FormValidation.respond(Kind.OK, ev); } catch (UsernameNotFoundException e) { // fall through next } catch (DataAccessException e) { // fall through next } // couldn't find it. it doesn't exist return FormValidation.respond(Kind.ERROR, makeImg("error.png") +ev); } Stack trace snippet: Failed to test the validity of the user name ciusers org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64) at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23) at hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)

    Jenkins JIRA | 5 years ago | Tony Lee
    org.acegisecurity.BadCredentialsException: Authentication was successful but cannot locate the user information for ciusers
  3. 0

    Jenkins API calls fails with the folowing stacktrace when AD plugin is setup with an entered domain : {code:java} 23-May-2016 16:53:21.882 WARNING [Handling GET /jenkins/job/admin/api/xml from 172.18.242.45 : tomcat-exec-9] hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser Credential exception trying to authenticate against santeclair.lan domain org.acegisecurity.BadCredentialsException: Failed to retrieve user information from the cache for brey at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:354) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:199) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:141) at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122) at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200) at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47) at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:55) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:188) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2517) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2506) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) {code} Is seems that if password equals NO_AUTHENTICATION, BadCredentialsException should not be thrown.

    Jenkins JIRA | 6 months ago | ben_ty
    org.acegisecurity.BadCredentialsException: Failed to retrieve user information from the cache for brey
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0

    Jenkins API calls fails with the folowing stacktrace when AD plugin is setup with an entered domain : {code:java} 23-May-2016 16:53:21.882 WARNING [Handling GET /jenkins/job/admin/api/xml from 172.18.242.45 : tomcat-exec-9] hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser Credential exception trying to authenticate against santeclair.lan domain org.acegisecurity.BadCredentialsException: Failed to retrieve user information from the cache for brey at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:354) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:199) at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:141) at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122) at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200) at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47) at jenkins.security.BasicHeaderRealPasswordAuthenticator.authenticate(BasicHeaderRealPasswordAuthenticator.java:55) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:79) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:188) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2517) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2506) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) {code} Is seems that if password equals NO_AUTHENTICATION, BadCredentialsException should not be thrown.

    Jenkins JIRA | 6 months ago | ben_ty
    org.acegisecurity.BadCredentialsException: Failed to retrieve user information from the cache for brey
  6. 0

    active directory plugin: login error

    Google Groups | 6 years ago | vinview
    org.acegisecurity.BadCredentialsException: Either no such user 'ccadmin' or incorrect password

    Not finding the right solution?
    Take a tour to get the most out of Samebug.

    Tired of useless tips?

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. org.acegisecurity.BadCredentialsException

      Authentication was successful but cannot locate the user information for ciusers

      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser()
    2. hudson.plugins.active_directory
      ActiveDirectorySecurityRealm.loadUserByUsername
      1. hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:147)
      2. hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:105)
      3. hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:64)
      4. hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:23)
      5. hudson.plugins.active_directory.ActiveDirectorySecurityRealm.loadUserByUsername(ActiveDirectorySecurityRealm.java:514)
      5 frames
    3. Hudson
      GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName
      1. hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName_(GlobalMatrixAuthorizationStrategy.java:303)
      2. hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:288)
      2 frames