Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18114

Enabling crumb issuer prevents CLI from working


      1.480.3. Enable security, with whatever security realm (e.g. Unix authentication), and matrix authentication with one user given all permissions and anonymous none. Enable the default crumb issuer. Configure the authenticated user's SSH public keys. Now from a shell try to use the CLI:

      $ java -jar jenkins-cli.jar -s http://localhost:8080/ -i ~/.ssh/id_dsa help
      Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625)
      	at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:77)
      	at hudson.cli.CLI.connectViaHttp(CLI.java:155)
      	at hudson.cli.CLI.<init>(CLI.java:139)
      	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:68)
      	at hudson.cli.CLI._main(CLI.java:438)
      	at hudson.cli.CLI.main(CLI.java:373)

      If you disable the crumb issuer, the same command works as expected.

      Jenkins.doCli in POST mode would go through CrumbFilter, and the CLI client makes no attempt to send a crumb.

      If there is some way a JavaScript form submission could trick a browser into initiating a complete CLI session and sending a destructive command, then the client should be amended to check for /crumbIssuer/api/xml and send a crumb; otherwise CrumbFilter should be amended to exempt /cli.

            danielbeck Daniel Beck
            jglick Jesse Glick
            2 Vote for this issue
            2 Start watching this issue