Trigger build via REST API since 2.176.3

[James Telfer]

Hi,

I've been bitten by the security fix in Jenkins LTS 2.176.3 to the CSRF protection, specifically the tying of a crumb to the session ID it was generated in.

There is a note in the upgrade guide which suggests I can trigger builds using an API token without requiring a crumb, which is pretty much what I want to be able to do.  It appears that I should be able to do this by sending a POST of the form: http://<username>:<API Token>@<Jenkins job URL>/build

 But I always get back a 403 No valid crumb was included in the request, which while 100% accurate was not what I expected.

Any idea how I can do this?

[Mark Waite]

I used curl to request the crumb and the session ID and then passed that crumb and session ID to a later curl call which performed the work I needed to do.

Refer to https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L56 for the "cookie jar" that remembers the session ID.

Refer to https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L89 for a use of that "cookie jar".

I think the topic of API use (including cookie use and various alternatives to call the API) deserves a future topic for a "How-To Guide" to be added to https://jenkins.io/doc/developer/guides/ .

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/97c3ff89-83ab-42f9-bb89-72922a940383%40googlegroups.com.

--

Thanks!

Mark Waite

[James Telfer]

HI Mark,

Thanks, this pointed me in the right direction.  Turns out my underlying problem was that while the PowerShell curl alias accepts the http://<username>:<password>@url format, it appears to ignore everything before the @.  

Once I figured that out it was a simple case or replacing the password with the API token from Jenkins, and you then do not need to persist the session, or bother with the crumb issuer at all.

On Monday, 2 September 2019 11:25:53 UTC+1, Mark Waite wrote:

I used curl to request the crumb and the session ID and then passed that crumb and session ID to a later curl call which performed the work I needed to do.

Refer to https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L56 for the "cookie jar" that remembers the session ID.

Refer to https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L89 for a use of that "cookie jar".

I think the topic of API use (including cookie use and various alternatives to call the API) deserves a future topic for a "How-To Guide" to be added to https://jenkins.io/doc/developer/guides/ .

On Mon, Sep 2, 2019 at 4:09 AM James Telfer <jamesw...@gmail.com> wrote:

Hi,

I've been bitten by the security fix in Jenkins LTS 2.176.3 to the CSRF protection, specifically the tying of a crumb to the session ID it was generated in.

There is a note in the upgrade guide which suggests I can trigger builds using an API token without requiring a crumb, which is pretty much what I want to be able to do.  It appears that I should be able to do this by sending a POST of the form: http://<username>:<API Token>@<Jenkins job URL>/build

 But I always get back a 403 No valid crumb was included in the request, which while 100% accurate was not what I expected.

Any idea how I can do this?

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkins...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/97c3ff89-83ab-42f9-bb89-72922a940383%40googlegroups.com.

--

Thanks!

Mark Waite