Problems with anonymous file downloads

I have this problem:
Once Jenkins has been running for a few days, it becomes impossible to download files anonymously. It always works when logged in and it works for a bit after a server-restart. But after a few days, not sure how long exactly, if I use e.g. wget from a CLI, I get the following error:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 403 No such user: anonymous</title>
</head>
<body><h2>HTTP ERROR 403 No such user: anonymous</h2>
<table>
<tr><th>URI:</th><td>/static-files/eDD1sRH9u0OGGhlYXKYYhnXJ5P6HKlbFlsyIPhTipYUxNzM0ODE1NTgzNTM4Ojk6YW5vbnltb3VzOmpvYi9GaXJtd2FyZS9qb2IvUmFkaW9BcHAvam9iL3BpcGUtYnVpbGQvbGFzdFN1Y2Nlc3NmdWxCdWlsZC9hcnRpZmFjdA==/pkgDir/QIDMR_FC_xmlDev.1809.ttfp</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>No such user: anonymous</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr/><a href="https://jetty.org/">Powered by Jetty:// 12.0.13</a><hr/>

</body>
</html>

Any idea on what is causing it and how to fix it?

Jenkins setup:

• Our Jenkins security is set up to use LDAP for user authentication and the “logged in users can do anything” authorization strategy.
• “Allow anonymous users read access” is checked.
• We do use a resource-root URL (jenkins-artefacts.<domain>) different from the main URL (jenkins.<domain>).

Jenkins: 2.479.2
OS: Linux - 6.8.0-49-generic
Java: 21.0.5 - Ubuntu (OpenJDK 64-Bit Server VM)

PrioritySorter:5.2.0
ace-editor:1.1
analysis-model-api:12.9.1
ansicolor:1.0.5
ant:511.v0a_a_1a_334f41b_
antisamy-markup-formatter:162.v0e6ec0fcfcf6
anything-goes-formatter:19.v3e2b_1b_3e0ee5
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.4-124.v31e2987e48f4
asm-api:9.7.1-97.v4cc844130d97
authentication-tokens:1.119.v50285141b_7e1
badge:2.5
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1200.v4b_a_3da_2eb_db_4
build-blocker-plugin:166.vc82fc20b_a_ed6
build-failure-analyzer:2.5.3
build-monitor-plugin:1.14-947.vfec2cf655fe2
build-name-setter:2.4.3
build-pipeline-plugin:2.0.2
build-timeout:1.33
build-token-root:151.va_e52fe3215fc
build-user-vars-plugin:182.v378b_9f14b_487
build-with-parameters:76.v9382db_f78962
built-on-column:1.4
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-folder:6.973.vc9b_85a_61e4fc
cobertura:1.17
code-coverage-api:4.99.0
command-launcher:116.vd85919c54a_d6
commons-compress-api:1.26.1-2
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
conditional-buildstep:1.4.3
config-file-provider:980.v88956a_a_5d6a_d
copy-to-agent:1.4.4
copyartifact:757.v05365583a_455
coverage:1.16.1
credentials:1393.v6017143c1763
credentials-binding:687.v619cb_15e923f
dashboard-view:2.521.v339b_a_f4d8da_8
data-tables-api:2.1.8-1
delete-log-plugin:1.0
description-setter:258.vcd25251271a_a_
display-url-api:2.209.v582ed814ff2f
docker-commons:445.v6b_646c962a_94
docker-workflow:580.vc0c340686b_54
downstream-buildview:69.v16da_b_2c36f6c
durable-task:581.v299a_5609d767
echarts-api:5.5.1-4
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1861.vdb_d991590994
emoji-symbols-api:13.v723a_b_8e234d1
envinject:2.919.v009a_a_1067cd0
envinject-api:1.199.v3ce31253ed13
extended-choice-parameter:382.v5697b_32134e8
external-monitor-job:215.v2e88e894db_f8
ez-templates:1.3.5
flexible-publish:0.16.1
font-awesome-api:6.6.0-2
forensics-api:2.6.0
git:5.6.0
git-client:6.1.0
git-server:126.v0d945d8d2b_39
gitlab-plugin:1.9.6
groovy-label-assignment:1.2.0
groovy-postbuild:267.va_df06de9fa_fa_
gson-api:2.11.0-85.v1f4e87273c33
handlebars:3.0.8
http_request:1.19
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javadoc:280.v050b_5c849f69
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
jenkins-multijob-plugin:659.v6633374ec624
jersey2-api:2.44-151.v6df377fff741
jnr-posix-api:3.1.19-2
job-dsl:1.90
jobConfigHistory:1283.veb_dfb_00b_5ec0
joda-time-api:2.13.0-93.v9934da_29b_a_e9
jquery:1.12.4-3
jquery-detached:1.2.1
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-101.v7a_8666713110
json-path-api:2.9.0-118.v7f23ed82a_8b_8
junit:1311.v39e1716e4eb_e
keep-agent-disconnected:1.0
label-linked-jobs:6.0.1
ldap:770.vb_455e934581a_
lockable-resources:1327.ved786b_a_197e0
log-parser:2.3.7
logstash:2.5.0218.v0a_ff8fefc12b_
mail-watcher-plugin:1.19
mailer:489.vd4b_25144138f
managed-scripts:1.5.6
mapdb-api:1.0.9-40.v58107308b_7a_7
mashup-portlets-plugin:1.1.2
matrix-auth:3.2.3
matrix-project:840.v812f627cb_578
matrix-reloaded:1.1.3
maven-plugin:3.24
mercurial:1260.vdfb_723cdcc81
metrics:4.2.21-458.vcf496cb_839e4
mina-sshd-api-common:2.14.0-136.v4d2b_0853615e
mina-sshd-api-core:2.14.0-136.v4d2b_0853615e
momentjs:1.1.1
monitoring:2.4.0
msbuild:1.35
naginator:1.481.vcb_b_384a_3de89
nodelabelparameter:1.13.0
pam-auth:1.11
parameterized-trigger:806.vf6fff3e28c3e
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:744.v5b_556ee7c253
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2218.v56d0cda_37c72
pipeline-model-definition:2.2218.v56d0cda_37c72
pipeline-model-extensions:2.2218.v56d0cda_37c72
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2218.v56d0cda_37c72
pipeline-stage-view:2.34
pipeline-utility-steps:2.18.0
plain-credentials:183.va_de8f1dd5a_2b_
plot:2.2.0
plugin-util-api:5.1.0
popper-api:1.16.1-3
popper2-api:2.11.6-5
postbuildscript:3.4.1-695.vf6b_0b_8053979
powershell:2.2
preSCMbuildstep:71.v1f2990a_37e27
prism-api:1.29.0-18
project-description-setter:1.2
purge-build-queue-plugin:88.v23b_97b_f2c7a_d
pyenv-pipeline:2.1.2
rebuild:332.va_1ee476d8f6d
resource-disposer:0.25
robot:5.0.0
run-condition:1.7
saml:4.501.v4313a_01e3a_18
scm-api:698.v8e3b_c788f0a_6
script-security:1369.v9b_98a_4e95b_2d
shiningpanda:0.24
show-build-parameters:1.0
snakeyaml-api:2.3-123.v13484c65210a_
ssh-agent:376.v8933585c69d3
ssh-credentials:349.vb_8b_6b_9709f5b_
ssh-slaves:2.973.v0fa_8c0dea_f9f
sshd:3.330.vc866a_8389b_58
structs:338.v848422169819
subversion:1281.vc8837f91a_07a_
throttle-concurrents:2.16
timestamper:1.28
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
versioncolumn:243.vda_c20eea_a_8a_f
versionnumber:1.11
view-job-filters:392.v2c0a_4dd46909
warnings-ng:11.12.0
windows-slaves:1.8.1
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:4000.v5198556e9cea_
workflow-cps-global-lib:612.v55f2f80781ef
workflow-durable-task-step:1398.vf6c9e89e5988
workflow-job:1472.ve4d5eca_143c4
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:936.v9fa_77211ca_e1
ws-cleanup:0.48
xshell:325.v3fda_132b_2641
REST API
Jenkins 2.479.2

Create a log recorder with FINE logging for jenkins.security.ResourceDomainRootAction for additional information in the Jenkins system log.

Thanks this resulted in the following log:

Jan 24, 2025 9:37:59 PM FINE jenkins.security.ResourceDomainRootAction
Determined DBS URL: job/Tools/job/pca_cal_deb/lastSuccessfulBuild/artifact from restOfUrl: job/Tools/job/pca_cal_deb/lastSuccessfulBuild/artifact/bld/taitcal-version.deb and restOfPath: /bld/taitcal-version.deb
Jan 24, 2025 9:37:59 PM FINE jenkins.security.ResourceDomainRootAction
Performing a request as authentication: anonymous and restOfUrl: job/Tools/job/pca_cal_deb/lastSuccessfulBuild/artifact and restOfPath: /bld/taitcal-version.deb
Jan 24, 2025 9:37:59 PM FINE jenkins.security.ResourceDomainRootAction
Failed to impersonate anonymous
org.springframework.security.core.userdetails.UsernameNotFoundException: User anonymous not found in directory.
	at PluginClassLoader for ldap//org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:107)
	at PluginClassLoader for ldap//hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1298)
	at PluginClassLoader for ldap//hudson.security.LDAPSecurityRealm$DelegateLDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1239)
	at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
	at hudson.model.User.getUserDetailsForImpersonation2(User.java:431)
	at hudson.model.User.impersonate2(User.java:399)
	at jenkins.security.ResourceDomainRootAction$InternalResourceRequest.doDynamic(ResourceDomainRootAction.java:227)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:733)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:484)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:497)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:218)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
	at org.kohsuke.stapler.MetaClass$11.dispatch(MetaClass.java:622)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:800)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:938)
	at org.kohsuke.stapler.MetaClass$10.dispatch(MetaClass.java:590)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:800)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:938)
	at org.kohsuke.stapler.MetaClass$10.dispatch(MetaClass.java:590)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:800)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:938)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:721)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:253)
	at Jenkins Main ClassLoader//jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHolder.handle(ServletHolder.java:765)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1668)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:204)
	at PluginClassLoader for monitoring//net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:237)
	at PluginClassLoader for monitoring//net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:213)
	at PluginClassLoader for monitoring//net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:87)
	at PluginClassLoader for monitoring//org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:120)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:201)
	at io.jenkins.servlet.FilterChainWrapper$2.doFilter(FilterChainWrapper.java:53)
	at PluginClassLoader for metrics//jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
	at io.jenkins.servlet.FilterWrapper$1.doFilter(FilterWrapper.java:42)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:201)
	at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:77)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:201)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:207)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1638)
	at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1638)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1638)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:94)
	at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:99)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:99)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:99)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:99)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:99)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:99)
	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:98)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:99)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	at hudson.security.ChainedServletFilter2$1.doFilter(ChainedServletFilter2.java:99)
	at hudson.security.ChainedServletFilter2.doFilter(ChainedServletFilter2.java:111)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:173)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1638)
	at org.kohsuke.stapler.UncaughtExceptionFilter.doFilter(UncaughtExceptionFilter.java:26)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1638)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1638)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:31)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1638)
	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1638)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler.doHandle(ServletHandler.java:526)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ScopedHandler.handle(ScopedHandler.java:127)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.security.SecurityHandler.handle(SecurityHandler.java:574)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.HandlerWrapper.handle(HandlerWrapper.java:124)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ScopedHandler.nextHandle(ScopedHandler.java:197)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.SessionHandler.doHandle(SessionHandler.java:612)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ScopedHandler.nextHandle(ScopedHandler.java:195)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ContextHandler.doHandle(ContextHandler.java:1037)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ScopedHandler.nextScope(ScopedHandler.java:164)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.servlet.ServletHandler.doScope(ServletHandler.java:483)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ScopedHandler.nextScope(ScopedHandler.java:162)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.SessionHandler.doScope(SessionHandler.java:589)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ScopedHandler.nextScope(ScopedHandler.java:162)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ContextHandler.doScope(ContextHandler.java:958)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ScopedHandler.handle(ScopedHandler.java:125)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ContextHandler.handle(ContextHandler.java:1696)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1564)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.HttpChannel.dispatch(HttpChannel.java:723)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.HttpChannel.handle(HttpChannel.java:511)
	at Jenkins Main ClassLoader//org.eclipse.jetty.ee9.nested.ContextHandler$CoreContextHandler$CoreToNestedHandler.handle(ContextHandler.java:2873)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:611)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.Server.handle(Server.java:182)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:418)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164)
	at java.base/java.lang.Thread.run(Thread.java:1583)

Ok, the logger resulted in an error, but I cannot post that here for some reason. If I put it in the post, the post is immediately removed (or not even added or whatever) and if I try to attach it as a file, it tells me I’m not allowed to.

Never mind. I just got an email that my posts have apparently been flagged as spam and hidden until a staff member can review them. So hopefully they’ll appear shortly.

Thanks. I filed https://issues.jenkins.io/browse/JENKINS-75201 for this.

Could you try the PR build of [JENKINS-75201] Fix anonymous check by daniel-beck · Pull Request #10221 · jenkinsci/jenkins · GitHub (once it’s built) whether this fixes the issue for you? Haven’t gotten around to debugging this, but this looks like a possible reason this fails.

Thanks for looking into this. How do I use the PR build? We are normally using the debian packages.

Also, I don’t know how to reproduce this on-demand. It only happens after some time. From your fix, can you infer what is triggering it so I can test faster?

Ok, I now found the download links on the “incrementals pusher”. So I can install a test-server and replace the war etc that comes with the std package.

However, without a way to trigger the problem on-demand, I’m not sure how to test whether it is fixed.

Hi,
We are experiencing exactly the same issue since quite a long time. We are currently running Jenkins 2.462.3 but the problem also happened with older versions. On our side, the issue sometimes shows up less than a day after the last server reboot, it’s unpredictable.

I created a logger, as suggested in this thread. Here are the log entries related to the anonymous file download error:

Jan 31, 2025 3:30:04 PM FINE jenkins.security.ResourceDomainRootAction
Determined DBS URL: userContent from restOfUrl: userContent/aFolderName/release/latest and restOfPath: /aFolderName/release/latest
Jan 31, 2025 3:30:05 PM FINE jenkins.security.ResourceDomainRootAction
Determined DBS URL: userContent from restOfUrl: userContent/aFolderName/release/latest/version_latest.txt and restOfPath: /aFolderName/release/latest/version_latest.txt
Jan 31, 2025 3:30:05 PM FINE jenkins.security.ResourceDomainRootAction
Performing a request as authentication: anonymous and restOfUrl: userContent and restOfPath: /aFolderName/release/latest/version_latest.txt
Jan 31, 2025 3:30:05 PM FINE jenkins.security.ResourceDomainRootAction
Failed to impersonate anonymous
org.springframework.security.core.userdetails.UsernameNotFoundException: Password is not set: anonymous
	at hudson.security.HudsonPrivateSecurityRealm.load(HudsonPrivateSecurityRealm.java:210)
	at hudson.security.HudsonPrivateSecurityRealm.loadUserByUsername2(HudsonPrivateSecurityRealm.java:202)
	at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
	at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
	at hudson.model.User.getUserDetailsForImpersonation2(User.java:412)
	at hudson.model.User.impersonate2(User.java:380)
	at jenkins.security.ResourceDomainRootAction$InternalResourceRequest.doDynamic(ResourceDomainRootAction.java:227)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(Unknown Source)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
	at org.kohsuke.stapler.MetaClass$10.dispatch(MetaClass.java:580)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:548)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:548)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:747)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:253)
	at Jenkins Main ClassLoader//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	at PluginClassLoader for sse-gateway//org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at PluginClassLoader for blueocean-web//io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at PluginClassLoader for blueocean-jwt//io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:31)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	at Jenkins Main ClassLoader//org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.Server.handle(Server.java:563)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	at java.base/java.lang.Thread.run(Unknown Source)

I hope this will help to confirm if the proposed fix is the solution to this issue.

Sebastian,
Were you able to test this PR build? Did it bring an improvement?

Ah, sorry, no. I haven’t had a chance to set up a test-server yet and I can’t put a dev-build on our production server. The other issue is that it only happens sporadically (unless you can tell me how to trigger it on demand) so I’m not sure how I could be sure whether it helped or not.

I’ll try to set some time aside this week to set up a test-server.

I can’t tell how to trigger this on demand. On our side, it happens quite frequently, sometimes even a couple of hours after restarting the server.

Ok, I have set up a clean Jenkins server and a client that repeatedly tries to download a file. So far I have not seen the issue yet. I will only upgrade to the test-build once I am sure this installation actually can reproduce the issue.