Major If the "Prevent cross site forgery request exploit" option is selected in the "Configure global" security page and a change is made and saved on the global settings page - the cross site forgery prevention option is deactivated.
This is causing issues with post-commit hooks that pass the API token as well as the crumb in the HTTP header when making RESTful calls to Jenkins.
- duplicates
-
JENKINS-17087 Saving Jenkins Global Config wipes out the crumb issuer settings in the Global Security Config
-
- Resolved
-
[JENKINS-16495] Saving global settings causes cross site request forgery option to be disabled
| Assignee | New: Dominik Bartholdi [ imod ] |
@domi/@imod (confusing!), this is a regression from https://github.com/jenkinsci/jenkins/pull/628 I guess?
| Priority | Original: Minor [ 4 ] | New: Major [ 3 ] |
I'll have a look at ist after my vacations - Sorry that will march earliest 
I don't mind taking a stab at a bug fix if someone could direct me where in the code to look. The object model is a little tough to navigate.
@buildscientist: core/src/main/java/hudson/security/csrf/GlobalCrumbIssuerConfiguration.java and core/src/main/resources/hudson/security/csrf/GlobalCrumbIssuerConfiguration/config.groovy and core/src/main/java/jenkins/model/Jenkins.java
| Assignee | Original: Dominik Bartholdi [ imod ] | New: Dominik Bartholdi [ domi ] |
| Link |
New:
This issue duplicates |
The obvious fix to this is to modify the post-commit hook not to pass the crumb in the HTTP header which is what I've done but it would be nice to get this issue resolved.