1.480.3. Enable security, with whatever security realm (e.g. Unix authentication), and matrix authentication with one user given all permissions and anonymous none. Enable the default crumb issuer. Configure the authenticated user's SSH public keys. Now from a shell try to use the CLI:

      $ java -jar jenkins-cli.jar -s http://localhost:8080/ -i ~/.ssh/id_dsa help
      Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625)
      	at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:77)
      	at hudson.cli.CLI.connectViaHttp(CLI.java:155)
      	at hudson.cli.CLI.<init>(CLI.java:139)
      	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:68)
      	at hudson.cli.CLI._main(CLI.java:438)
      	at hudson.cli.CLI.main(CLI.java:373)
      

      If you disable the crumb issuer, the same command works as expected.

      Jenkins.doCli in POST mode would go through CrumbFilter, and the CLI client makes no attempt to send a crumb.

      If there is some way a JavaScript form submission could trick a browser into initiating a complete CLI session and sending a destructive command, then the client should be amended to check for /crumbIssuer/api/xml and send a crumb; otherwise CrumbFilter should be amended to exempt /cli.

          [JENKINS-18114] Enabling crumb issuer prevents CLI from working

          Jesse Glick created issue -

          Jesse Glick added a comment -

          Also the log shows:

          … hudson.security.csrf.CrumbFilter doFilter
          WARNING: No valid crumb was included in request for /cli.  Returning 403.
          

          Jesse Glick added a comment - Also the log shows: … hudson.security.csrf.CrumbFilter doFilter WARNING: No valid crumb was included in request for /cli. Returning 403.

          Daniel Beck added a comment -

          Maybe exclude UnprotectedRootActions from CSRF protection?

          Daniel Beck added a comment - Maybe exclude UnprotectedRootActions from CSRF protection?

          Jesse Glick added a comment -

          Yeah. I hope this issue is not still reproducible!

          Jesse Glick added a comment - Yeah. I hope this issue is not still reproducible!

          Daniel Beck added a comment -

          I can repro on 1.585 (only tested through reverse proxy) if I disable the JNLP slave port. (If that being enabled is a requirement to use the CLI, as TcpSlaveAgentListener Javadoc indicates, the documentation on the UI is pretty misleading.)

          $ java -jar jenkins-cli.jar -i ~/.ssh/id_rsa -s http://jenkins help
          Exception in thread "main" java.io.IOException: No X-Jenkins-CLI2-Port among [null, X-Required-Permission, X-Jenkins, X-You-Are-In-Group, X-Hudson, Content-Length, Expires, X-You-Are-Authenticated-As, Set-Cookie, X-Permission-Implied-By, Connection, Server, Date, X-Jenkins-Session, Content-Type]
          	at hudson.cli.CLI.getCliTcpPort(CLI.java:283)
          	at hudson.cli.CLI.<init>(CLI.java:126)
          	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72)
          	at hudson.cli.CLI._main(CLI.java:466)
          	at hudson.cli.CLI.main(CLI.java:382)
          	Suppressed: java.io.IOException: Server returned HTTP response code: 403 for URL: http://jenkins/cli
          		at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1626)
          		at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:78)
          		at hudson.cli.CLI.connectViaHttp(CLI.java:156)
          		at hudson.cli.CLI.<init>(CLI.java:130)
          		... 3 more

          Daniel Beck added a comment - I can repro on 1.585 (only tested through reverse proxy) if I disable the JNLP slave port. (If that being enabled is a requirement to use the CLI, as TcpSlaveAgentListener Javadoc indicates, the documentation on the UI is pretty misleading.) $ java -jar jenkins-cli.jar -i ~/.ssh/id_rsa -s http://jenkins help Exception in thread "main" java.io.IOException: No X-Jenkins-CLI2-Port among [null, X-Required-Permission, X-Jenkins, X-You-Are-In-Group, X-Hudson, Content-Length, Expires, X-You-Are-Authenticated-As, Set-Cookie, X-Permission-Implied-By, Connection, Server, Date, X-Jenkins-Session, Content-Type] at hudson.cli.CLI.getCliTcpPort(CLI.java:283) at hudson.cli.CLI.<init>(CLI.java:126) at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72) at hudson.cli.CLI._main(CLI.java:466) at hudson.cli.CLI.main(CLI.java:382) Suppressed: java.io.IOException: Server returned HTTP response code: 403 for URL: http://jenkins/cli at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1626) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:78) at hudson.cli.CLI.connectViaHttp(CLI.java:156) at hudson.cli.CLI.<init>(CLI.java:130) ... 3 more
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-22474 [ JENKINS-22474 ]
          Daniel Beck made changes -
          Assignee New: Daniel Beck [ danielbeck ]
          Daniel Beck made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Daniel Beck made changes -
          Remote Link New: This issue links to "PR 2315 (Web Link)" [ 14273 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 149411 ] New: JNJira + In-Review [ 185460 ]

            danielbeck Daniel Beck
            jglick Jesse Glick
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: