Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16918

@RequirePOST and similar should send a 405




      When a GET request is sent to a resource which (generally for security reasons) requires POST, an appropriate response code should be sent, so that clients such as python-jenkins may properly report the error.

      • Most such web methods use @RequirePOST, for which currently a 500 is sent because org.kohsuke.stapler.interceptor.RequirePOST$Processor simply throws IllegalAccessException.
      • Build-like requests use BuildAuthorizationToken which forwards to requirePOST.jelly with a 200, which is no good. (If a token is supplied but is incorrect, it more reasonably sends a 403, via AccessDeniedException.)

      Both cases should probably send a 405 ("Method Not Allowed") with Allow: POST, though a 403 would not be inappropriate for the latter case since under some circumstances GET is still allowed for compatibility.


        Issue Links


            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is blocking SECURITY-13 [ SECURITY-13 ]
            jglick Jesse Glick made changes -
            Link This issue is blocking SECURITY-16 [ SECURITY-16 ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            scm_issue_link SCM/JIRA link daemon made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]
            zfil Philippe Jandot made changes -
            Link This issue is related to JENKINS-19281 [ JENKINS-19281 ]
            jglick Jesse Glick made changes -
            Labels 1.509.4-fixed
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 147748 ] JNJira + In-Review [ 192565 ]


              jglick Jesse Glick
              jglick Jesse Glick
              0 Vote for this issue
              4 Start watching this issue