HTTP/1.1 403 Forbidden when authentication is disabled
See original GitHub issueVersion report
Jenkins and plugins versions report:
Jenkins: 2.313
OS: Linux - 3.13.0-147-generic
---
JiraTestResultReporter:2.0.9
ace-editor:1.1
active-directory:2.25
all-changes:1.5
ansible:1.1
antisamy-markup-formatter:2.4
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
basic-branch-build-strategies:1.3.2
blueocean:1.25.1
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.25.1
blueocean-commons:1.25.1
blueocean-config:1.25.1
blueocean-core-js:1.25.1
blueocean-dashboard:1.25.1
blueocean-display-url:2.4.1
blueocean-events:1.25.1
blueocean-git-pipeline:1.25.1
blueocean-github-pipeline:1.25.1
blueocean-i18n:1.25.1
blueocean-jwt:1.25.1
blueocean-personalization:1.25.1
blueocean-pipeline-api-impl:1.25.1
blueocean-pipeline-editor:1.25.1
blueocean-pipeline-scm-api:1.25.1
blueocean-rest:1.25.1
blueocean-rest-impl:1.25.1
blueocean-web:1.25.1
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.7.0
build-monitor-plugin:1.13+build.202110011223
build-pipeline-plugin:1.5.8
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
chucknorris:1.4
ci-skip:0.0.2
claim:2.18.2
cloud-stats:0.27
cloudbees-bitbucket-branch-source:2.9.11
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.16
cobertura:1.16
code-coverage-api:2.0.2
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.1
copyartifact:1.46.2
credentials:2.6.2
credentials-binding:1.27
cucumber-reports:5.6.0
dashboard-view:2.18
data-tables-api:1.11.3-1
dependency-check-jenkins-plugin:5.1.1
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
dtkit-api:3.0.0
durable-task:1.39
echarts-api:5.2.1-2
embeddable-build-status:2.0.3
envinject:2.4.0
envinject-api:1.7
extended-read-permission:3.2
extensible-choice-parameter:1.8.0
external-monitor-job:1.7
favorite:2.3.3
font-awesome-api:5.15.4-1
forensics-api:1.5.0
gatling:1.3.0
git:4.9.0
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
greenballs:1.15.1
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.27
icon-shim:3.0.0
jackson2-api:2.13.0-230.v59243c64b0a5
jacoco:3.3.0
javadoc:1.6
jdk-tool:1.5
jenkins-design-language:1.25.1
jenkins-jira-plugin:1.5.3
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
keycloak:2.3.0
ldap:2.7
lockable-resources:2.12
m2release:0.16.2
mailer:1.34
mapdb-api:1.0.9.0
mask-passwords:3.0
matrix-auth:2.6.8
matrix-project:1.19
maven-info:0.3.0
maven-metadata-plugin:2.0.0
maven-plugin:3.15
metrics:4.0.2.8
momentjs:1.1.1
monitoring:1.88.0
okhttp-api:3.14.9
pam-auth:1.6
parameterized-trigger:2.41
permissive-script-security:0.7
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-multibranch-defaults:2.1
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.7
plugin-usage-plugin:2.0
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
postbuild-task:1.9
prometheus:2.0.10
publish-over:0.22
publish-over-ssh:1.22
pubsub-light:1.16
repository-connector:2.2.0
resource-disposer:0.16
ruby-runtime:0.12
run-condition:1.5
scm-api:2.6.5
script-security:1.78
slack:2.48
snakeyaml-api:1.29.1
sonar:2.13.1
sse-gateway:1.24
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
stashNotifier:1.20
structs:1.23
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
xunit:3.0.4
yet-another-docker-plugin:0.2.0
- What Operating System are you using (both controller, and any agents involved in the problem)?
ubuntu
Reproduction steps
- Install Prometheus plugin
- Leave “Authentication” checkbox unchecked
- Scrape from Prometheus
Results
Expected result:
Expected 200 status code
Actual result:
Got 403 status code (URL works with token and when logging in).
curl -voL https://jenkins.acme.org/prometheus/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 172.28.0.9...
* TCP_NODELAY set
* Connected to jenkins.acme.org (172.28.0.9) port 443 (#0)
> GET /prometheus/ HTTP/1.1
> Host: jenkins.acme.org
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Tue, 26 Oct 2021 20:09:28 GMT
< Server: Jetty(9.4.43.v20210629)
< X-Content-Type-Options: nosniff
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: text/html;charset=utf-8
< X-Hudson: 1.395
< X-Jenkins: 2.313
< Content-Length: 567
<
{ [567 bytes data]
100 567 100 567 0 0 5968 0 --:--:-- --:--:-- --:--:-- 5968
* Connection #0 to host jenkins.acme.org left intact
* Closing connection 0
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:8
Top Results From Across the Web
HTTP 403 Forbidden | What is 403 Forbidden Error and How ...
HTTP 403 forbidden error code means that the server understood the request but will not process it. Learn more about 403 forbidden error ......
Read more >403 Forbidden - HTTP - MDN Web Docs - Mozilla
The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it.
Read more >Forbidden (403), Unauthorized (401), or What Else? - Auth0
403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on...
Read more >HTTP Error 403 Forbidden: What It Means and How to Fix It
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it...If authentication credentials ...
Read more >HTTP 401 Unauthorized or 403 Forbidden for a "disabled" user?
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Can you check if for some reason you have an error in your Jenkins logs like this:
If it is the case, this could be related with an upgrade of plugin-usage-plugin that introduces a new permission role that breaks some stuff. We solve this temporarily by granting the Plugin Usage View/PluginView permission to the needed users.
cc: @Starefossen @olafrauch @mBouamama
Stale issue message