Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34254

Shutdown of jenkins via the /exit URL doesn't work in 2.0 b/c of 403

      1) Start jenkins from WAR, giving a JENKINS_HOME directory
      2) Install initial plugins and create an admin user (probably not needed), then restart and log in
      3) Try to exit jenkins the "right" way by visiting http://localhost:8080/exit
      4) Click the "try POST" button
      5) See attached 403 error message:

          [JENKINS-34254] Shutdown of jenkins via the /exit URL doesn't work in 2.0 b/c of 403

          Sam Van Oort created issue -
          Sam Van Oort made changes -
          Description Original: 1) Start jenkins from WAR, giving a JENKINS_HOME directory
          2) Install initial plugins and create an admin user (probably not needed)
          3) Try to exit jenkins the "right" way by visiting http://localhost:8080/exit
          4) Click the "try POST" button
          5) See attached 403 error message:

          !Screen Shot 2016-04-14 at 3.11.15 PM.png|thumbnail!
          New: 1) Start jenkins from WAR, giving a JENKINS_HOME directory
          2) Install initial plugins and create an admin user (probably not needed), then restart and log in
          3) Try to exit jenkins the "right" way by visiting http://localhost:8080/exit
          4) Click the "try POST" button
          5) See attached 403 error message:

          !Screen Shot 2016-04-14 at 3.11.15 PM.png|thumbnail!
          Summary Original: Shutdown of jenkins via the /exit URL doesn't work in 2.0 due to crumb issue New: Shutdown of jenkins via the /exit URL doesn't work in 2.0 b/c of 403

          Daniel Beck added a comment -

          Yes. CSRF protection breaks the 'Use POST' workaround. Looks like it needs to have a GET based UI, like /restart and /safeRestart have.

          /safeExit is also affected. I never understood this inconsistency, it's time we clean it up.

          Not a 2.0 specific thing, it's just that we default the CSRF option to on in 2.0.

          Daniel Beck added a comment - Yes. CSRF protection breaks the 'Use POST' workaround. Looks like it needs to have a GET based UI, like /restart and /safeRestart have. /safeExit is also affected. I never understood this inconsistency, it's time we clean it up. Not a 2.0 specific thing, it's just that we default the CSRF option to on in 2.0.
          Spike Washburn made changes -
          Assignee New: Keith Zantow [ kzantow ]
          Spike Washburn made changes -
          Labels Original: 2.0 2.0-rc testfest New: 2.0 2.0-planned 2.0-rc testfest
          Keith Zantow made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Keith Zantow made changes -
          Remote Link New: This issue links to "PR 2268 (Web Link)" [ 14210 ]

          Keith Zantow added a comment -

          danielbeck I don't think this is critical for 2.0, but the change in the PR is pretty isolated and could fairly easily be cherry-picked, if needed.

          Keith Zantow added a comment - danielbeck I don't think this is critical for 2.0, but the change in the PR is pretty isolated and could fairly easily be cherry-picked, if needed.

          Daniel Beck added a comment -

          Not a regression in 2.0, and I don't expect this is an often used feature. Therefore 2.1+ should be good enough.

          Daniel Beck added a comment - Not a regression in 2.0, and I don't expect this is an often used feature. Therefore 2.1+ should be good enough.
          Daniel Beck made changes -
          Labels Original: 2.0 2.0-planned 2.0-rc testfest New: 2.0 2.0-rc testfest

            danielbeck Daniel Beck
            svanoort Sam Van Oort
            Votes:
            4 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: