[JIRA] (JENKINS-61955) No valid crumb was included in the request

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan created an issue

Jenkins / JENKINS-61955 No valid crumb was included in the request Issue Type: Bug Assignee: Unassigned Components: core Created: 2020-04-17 21:07 Environment: Jenkins 2.222.1 Tomcat 9.0.31 Windows Server 2012R2 Priority: Major Reporter: Kevin Sheehan When saving anything, the No Valid Crumb error occurs. I can run jobs and browse without issue. Cannot modify a job or make save changes anywhere under Manage Jenkins. I am not calling an API - just using the UI. I am not behind a reverse proxy. I have recently upgraded Tomcat from 9.0.30 to 9.0.31. Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request Tomcat stdout log: 17-Apr-2020 17:16:12.196 INFO [https-openssl-nio-443-exec-5] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header  Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.  java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens   at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:416)   at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)   at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)   at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)   at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)   at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)   at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)   at java.lang.Thread.run(Thread.java:748)

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan updated an issue

Jenkins / JENKINS-61955

No valid crumb was included in the request

Change By: Kevin Sheehan Attachment: response headers.PNG

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan updated an issue

Jenkins / JENKINS-61955 No valid crumb was included in the request

Change By: Kevin Sheehan Attachment: Request Headers.PNG

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan updated an issue

Jenkins / JENKINS-61955 No valid crumb was included in the request Change By: Kevin Sheehan

When saving anything, the No Valid Crumb error occurs. I can run jobs and browse without issue. Cannot modify a job or make save changes anywhere under Manage Jenkins. I am not calling an API - just using the UI. I am not behind a reverse proxy. I have recently upgraded Tomcat from 9.0.30 to 9.0.31.

Tomcat configured for TLS on port 443

Add Comment

[kpsheehan@gmail.com (JIRA)]

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-61955

Re: No valid crumb was included in the request Is a reverse proxy warning shown to admins on /manage, or is the "Reverse Proxy Setup" monitor disabled in Configure System » Administrative Monitors Configuration? Was CSRF protection enabled before updating to Jenkins 2.222.1? Did it work before you updated Tomcat, and was that Jenkins 2.222.1 already, or did you do both at the same time?

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan updated an issue

Jenkins / JENKINS-61955

No valid crumb was included in the request

Change By: Kevin Sheehan Attachment: webpageerror.png

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request Yes the Reverse Proxy warning shows up. We disabled as a False Positive. CSRF has always been on. We do not have a reverse proxy but we are behind an F5 LTM and also use the SAML plugin to enable PIV authentication to the F5 APM module - not sure if any of that is in play here. Checking on timing of upgrades... Jenkins was upgraded first on 3/26 Tomcat was upgraded on 3/28 This is our Infrastructure Dev environment (not used by developers). Our prod environment is currently running Jenkins 2.222.1 and Tomcat 9.0.30 with no issues. We can make changes and save them. Prod also has same F5 LTM and SAML/PIV setup. I am scheduled to upgrade prod to 9.0.31 this weekend but I think I need to wait until this is resolved. I am going to revert to Tomcat 9.0.30 if for no other reason than to rule it out Also getting a random webpage error pop-up uploaded above

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-61955

Re: No valid crumb was included in the request

Yes the Reverse Proxy warning shows up. We disabled as a False Positive.

What specifically does fail? Your web browser's network console should be able to show you the request that fails and the response will explain what's wrong.

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request

Reverting Tomcat to 9.0.30 fixed the issue. Not sure about my Tomcat path forward at this point.

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request

Will put 9.0.31 back and check.

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan updated an issue

Jenkins / JENKINS-61955

No valid crumb was included in the request

Change By: Kevin Sheehan Attachment: 9.0.31.har

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request Uploaded har file using 9.0.31 to simply save a job configuration and getting 403. Will revert to 9.0.30 and upload  a har for the same transaction.

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request

Strict Crumb Issuer and Default Crumb Issues show the exact same behavior.

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan updated an issue

Jenkins / JENKINS-61955

No valid crumb was included in the request

Change By: Kevin Sheehan Environment:

Jenkins 2.222.1 Tomcat 9.0.31 Windows Server 2012R2

JDK 1.8.0_241

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request added 9.0.30 har for same transaction

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan updated an issue

Jenkins / JENKINS-61955

No valid crumb was included in the request

Change By: Kevin Sheehan Attachment: 9.0.30.har

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-61955

Re: No valid crumb was included in the request Have you tried newer releases of Tomcat?

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck resolved as Not A Defect

Anyway, until this demonstrates that an issue in Jenkins caused the problem here, it looks more like a regression in Tomcat.

Jenkins / JENKINS-61955

No valid crumb was included in the request

Change By: Daniel Beck Status: Open Resolved Resolution: Not A Defect

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request Will try 9.0.34 next week.

Add Comment

[kpsheehan@gmail.com (JIRA)]

Kevin Sheehan commented on JENKINS-61955

Re: No valid crumb was included in the request

Tomcat 9.0.34 works fine. That pretty much confirms regression in Tomcat 9.0.31.

Add Comment