Authenticating scripted clients

To make scripted clients (such as wget) invoke operations that require authorization (such as scheduling a build), use HTTP BASIC authentication to specify the user name and the password. This is often more convenient than emulating the form-based authentication.

Note that Hudson (at least when installed on a Debian server with apt-get) does not do any authorization negotiation. Ie. it immediately returns a 403 (Forbidden) response instead of a 401 (Unauthorized) response, so make sure to send the authentication information from the first request.

 In a groovy script, this could look something like this (using commons-httpclient):

import org.apache.commons.httpclient.*

import org.apache.commons.httpclient.auth.*
import org.apache.commons.httpclient.methods.*

@Grab(group='commons-httpclient', module='commons-httpclient', version='3.1')
void createNewHudsonProject() {

  def server = "server"
  def hudsonHost = "https://${server}/hudson/"
  def projectName = "TEST"
  def configurationFile = "config.xml"

  def username = "username"
  def password = "password"

  def client = new HttpClient()
  client.state.setCredentials(
    new AuthScope( server, 443, "realm"),
    new UsernamePasswordCredentials( username, password )
  )

  // Hudson does not do any authentication negotiation,
  // ie. it does not return a 401 (Unauthorized)
  // but immediately a 403 (Forbidden)
  client.params.authenticationPreemptive = true

  def post = new PostMethod( "${hudsonHost}/createItem?name=${projectName}" )
  post.doAuthentication = true

  File input = new File(configurationFile);
  RequestEntity entity = new FileRequestEntity(input, "text/xml; charset=UTF-8");
  post.setRequestEntity(entity);
  try {
    int result = client.executeMethod(post)
    println "Return code: ${result}"
    post.responseHeaders.each{ println it.toString().trim() }
    println post.getResponseBodyAsString()
  } finally {
    post.releaseConnection()
  }
}
createNewHudsonProject()
wget note

Note: If you are using wget 1.11, you might need to use the following options:

 wget --auth-no-challenge --http-user=user --http-password=password http://hudson.yourcompany.com/job/your_job/build?token=TOKEN

With wget 1.10.x the following is enough (but will not work with 1.11.x) :

 wget http://user:password@hudson.yourcompany.com/job/your_job/build?token=TOKEN

See this RedHat bug report for more detailled explanations: https://bugzilla.redhat.com/show_bug.cgi?id=446949 (this also affect other distributions)



Help wanted!
We are interested in knowing how many people use Active Directory for the security realm. If there's sufficient interest, we'd like Hudson to participate in the Windows integration authentication for true single sign-on authentication.


I like it. I am using the Active Directory for the security. So I want to use remote access API by this.

Here is entry #2 - we are also using Active Directory for security.

#3 another one using AD for auth

#4 for AD. We're using it for security. It would be nice to use multiple methods at the same time, e.g. standard htaccess through Apache to not need to create a software account in the AD, in case this is prohibited by policy.

#5 vote for AD security. This seems to be the preffered standard in the windows world.

#6 consistent access to the AD security model across Hudson would be great.

#7 using AD here, thanks for this plugin!

BTW - wget 1.0 and 1.1 don't appear to have a --auth-no-challenge option when one queries the command help.

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.