AccessDeniedException vulnerabilities when anonymous is not granted Read access

Article ID:115000057391
1 minute readKnowledge base

Issue

  • I cannot login to Jenkins. The Jenkins logs shows an exception similar to

Caused by: org.acegisecurity.AccessDeniedException: Please login to access job <itemName>
    at jenkins.model.Jenkins.getItem(Jenkins.java:2399)
    at jenkins.model.Jenkins.getItem(Jenkins.java:307)
    at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2505)
    at hudson.model.Run.fromExternalizableId(Run.java:2282)
    at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.runForDisplay(ExecutorStepExecution.java:307)
    at sun.reflect.GeneratedMethodAccessor959.invoke(Unknown Source)
  • Upstream builds succeed but build logs show the following exception:

Notifying upstream projects of job completion
FATAL: Please login to access job upstream
org.acegisecurity.AccessDeniedException: Please login to access job <itemName>
at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
at jenkins.model.Jenkins.getItem(Jenkins.java:324)
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
at hudson.model.Run.execute(Run.java:1775)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:404)

Environment

  • Jenkins

  • Jenkins LTS

  • CloudBees Jenkins Enterprise (CJE)

  • CloudBees Request Filter plugin

Resolution

This happens when anonymous is granted the permissions Overall/Read and Item/Discover but not Item/Read. This a mode that is used to force login redirects from job URLs. You can find more information about this in the article Q&A: Setting Up Role-based Access Control

The stacktrace may actually exposes a bug for a particular component in Jenkins that does not impersonate as SYSTEM user when accessing an item. A non-exhaustive list of issues is mentioned above. Please check on these Jira to check if there is a fix implemented for it. If you are seeing a similar stacktrace as Please login to access job <itemName> but for a different component/scenario, please open a new Support request for review or directly file a new issue in Jira.

Otherwise, a workaround is to remove the Item/Discover permission from the anonymous user.

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.