JNLP slave agent fails to launch when the anonymous user doesn't have a read access.

git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@11602 71c3de6d-444a-0410-be80-ed276b4c234a

JNLP slave agent fails to launch when the anonymous user doesn't have a read access.
git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@11602 71c3de6d-444a-0410-be80-ed276b4c234a
4faa52d0 · kohsuke · 576df3dc · 4faa52d0 · 4faa52d0 · 4faa52d0
4 changed file
--- a/core/src/main/java/hudson/model/Hudson.java
+++ b/core/src/main/java/hudson/model/Hudson.java
@@ -1916,6 +1916,13 @@ public final class Hudson extends View implements ItemGroup<TopLevelItem>, Node,
        rsp.sendRedirect2(req.getContextPath()+"/");
    }

+    /**
+     * Serves jar files for JNLP slave agents.
+     */
+    public Slave.JnlpJar getJnlpJars(String fileName) {
+        return new Slave.JnlpJar(fileName);
+    }
+
    /**
     * RSS feed for log entries.
     */
@@ -2468,6 +2475,7 @@ public final class Hudson extends View implements ItemGroup<TopLevelItem>, Node,
            || rest.startsWith("/logout")
            || rest.startsWith("/accessDenied")
            || rest.startsWith("/signup")
+            || rest.startsWith("/jnlpJars/")
            || rest.startsWith("/securityRealm"))
                return this;    // URLs that are always visible without READ permission
            throw e;

--- a/core/src/main/java/hudson/slaves/SlaveComputer.java
+++ b/core/src/main/java/hudson/slaves/SlaveComputer.java
@@ -285,6 +285,10 @@ public final class SlaveComputer extends Computer {

    /**
     * Serves jar files for JNLP slave agents.
+     *
+     * @deprecated
+     *      This URL binding is no longer used and moved up directly under to {@link Hudson},
+     *      but it's left here for now just in case some old JNLP slave agents request it.
     */
    public Slave.JnlpJar getJnlpJars(String fileName) {
        return new Slave.JnlpJar(fileName);

--- a/core/src/main/resources/hudson/slaves/SlaveComputer/slave-agent.jnlp.jelly
+++ b/core/src/main/resources/hudson/slaves/SlaveComputer/slave-agent.jnlp.jelly
@@ -32,13 +32,13 @@
            <j2se version="1.5+" />
          </j:otherwise>
        </j:choose>
-        <jar href="jnlpJars/jnlp-agent.jar"/>
-        <jar href="jnlpJars/remoting.jar"/>
+        <jar href="${rootURL}jnlpJars/jnlp-agent.jar"/>
+        <jar href="${rootURL}jnlpJars/remoting.jar"/>
      </resources>

      <application-desc main-class="hudson.jnlp.Main">
        <argument>${h.getServerName()}</argument>
-        <argument>${rootURL}/tcpSlaveAgentListener/</argument>
+        <argument>${rootURL}tcpSlaveAgentListener/</argument>
        <argument>${app.secretKey}</argument>
        <argument>${it.node.nodeName}</argument>
      </application-desc>

--- a/test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
+++ b/test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
 package hudson.bugs;

-import org.jvnet.hudson.test.HudsonTestCase;
-import org.jvnet.hudson.test.recipes.PresetData;
-import org.jvnet.hudson.test.recipes.PresetData.DataSet;
-import org.dom4j.io.DOMReader;
-import org.dom4j.Document;
-import org.dom4j.Element;
-import hudson.model.Slave;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.xml.XmlPage;
+import com.gargoylesoftware.htmlunit.Page;
 import hudson.model.Node.Mode;
+import hudson.model.Slave;
 import hudson.slaves.JNLPLauncher;
 import hudson.slaves.RetentionStrategy;
-import hudson.slaves.RetentionStrategy.Always;
+import org.dom4j.Document;
+import org.dom4j.Element;
+import org.dom4j.io.DOMReader;
+import org.jvnet.hudson.test.HudsonTestCase;
+import org.jvnet.hudson.test.Email;
+import org.jvnet.hudson.test.recipes.PresetData;
+import org.jvnet.hudson.test.recipes.PresetData.DataSet;

+import java.net.URL;
 import java.util.Collections;
 import java.util.List;
-import java.net.URL;
-
-import com.gargoylesoftware.htmlunit.html.HtmlPage;
-import com.gargoylesoftware.htmlunit.xml.XmlPage;
-import sun.management.resources.agent;

 /**
+ * Makes sure that the jars that web start needs are readable, even when the anonymous user doesn't have any read access. 
+ *
 * @author Kohsuke Kawaguchi
 */
 public class JnlpAccessWithSecuredHudsonTest extends HudsonTestCase {
@@ -33,18 +34,26 @@ public class JnlpAccessWithSecuredHudsonTest extends HudsonTestCase {
    }

    @PresetData(DataSet.NO_ANONYMOUS_READACCESS)
+    @Email("http://www.nabble.com/Launching-slave-by-JNLP-with-Active-Directory-plugin-and-matrix-security-problem-td18980323.html")
    public void test() throws Exception {
        hudson.setSlaves(Collections.singletonList(createNewJnlpSlave("test")));
        HudsonTestCase.WebClient wc = new WebClient();
        HtmlPage p = wc.login("alice").goTo("computer/test/");

+        // this fresh WebClient doesn't have a login cookie and represent JNLP launcher
+        HudsonTestCase.WebClient jnlpAgent = new WebClient();
+
+        // parse the JNLP page into DOM to list up the jars.
        XmlPage jnlp = (XmlPage) wc.goTo("computer/test/slave-agent.jnlp","application/x-java-jnlp-file");
        URL baseUrl = jnlp.getWebResponse().getUrl();
-
        Document dom = new DOMReader().read(jnlp.getXmlDocument());
        for( Element jar : (List<Element>)dom.selectNodes("//jar") ) {
            URL url = new URL(baseUrl,jar.attributeValue("href"));
            System.out.println(url);
+            
+            // now make sure that these URLs are unprotected
+            Page jarResource = jnlpAgent.getPage(url);
+            assertTrue(jarResource.getWebResponse().getContentType().toLowerCase().startsWith("application/"));
        }
    }
 }