Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64933

Configure Systems - Apply and Save not working with tomcat

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Blocker
    • Resolution: Unresolved
    • core
    • Jenkins version is 2.263.1-LTS
      Java Version - openjdk version "1.8.0_275"
      OS - CentOS -8.2
      Apache-tomcat-9.0.30
      Reverse proxy running in-front of Jenkins.

    Description

       Under Manage Jenkins --> Configure Systems section, if i click apply or save button it shows below error on browser(Firefox, Chrome). I cannot Apply (Or) Save any configuration due to below errors.

      HTTP Status 403 – Forbidden

      Type Status Report

      Message No valid crumb was included in the request

      Description The server understood the request but refuses to authorize it. Apache Tomcat/9.0.30

       Do i need to add any additional configuration in my tomcat side? Please let me know.

       

      Attachments

        1. 1.png
          1.png
          4 kB
        2. 2.png
          2.png
          9 kB

        Activity

          smohan08 Mohan added a comment -

          Same problem even in Jenkins 2.263.4, apache-tomcat-9.0.43 and openjdk version "1.8.0_282 as well.

          smohan08 Mohan added a comment - Same problem even in Jenkins 2.263.4, apache-tomcat-9.0.43 and openjdk version "1.8.0_282 as well.
          smohan08 Mohan added a comment - - edited

          Solution tried :-

          1) Under Configure Global security --> CSRF Protection -->Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
          2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even after this also didn't work.
          3) Installed the Strict Crumb Issuer plugin. Enabled this plugin and uncheck Check the session ID from its configuration (Under Jenkins Configure Global Security). 
          4) Restated the Jenkins.
          

          01-Mar-2021 08:12:10.604 WARNING [Handling POST /jenkins/configSubmit from 45.46.58.59 : http-nio-8080-exec-2] hudson.security.csrf.CrumbFilter.doFilter No valid crumb was included in request for /jenkins/configSubmit by sumit.mital. Returning 403.
          

          Still same problem persists.

          smohan08 Mohan added a comment - - edited Solution tried :- 1) Under Configure Global security --> CSRF Protection -->Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command. 2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even after this also didn't work. 3) Installed the Strict Crumb Issuer plugin. Enabled this plugin and uncheck Check the session ID from its configuration (Under Jenkins Configure Global Security). 4) Restated the Jenkins. 01-Mar-2021 08:12:10.604 WARNING [Handling POST /jenkins/configSubmit from 45.46.58.59 : http-nio-8080-exec-2] hudson.security.csrf.CrumbFilter.doFilter No valid crumb was included in request for /jenkins/configSubmit by sumit.mital. Returning 403. Still same problem persists.
          smohan08 Mohan added a comment - - edited

          Jenkins > Manage Jenkins > Configure Global Security > CSRF Protection - Default Crumb Issuer tried by ticked and Un-ticked the Enable Proxy Compatibility.  But no success. still getting same error.

          smohan08 Mohan added a comment - - edited Jenkins > Manage Jenkins > Configure Global Security > CSRF Protection - Default Crumb Issuer tried by ticked and Un-ticked the Enable Proxy Compatibility .  But no success. still getting same error.
          smohan08 Mohan added a comment - - edited

          Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save results same error.

          smohan08 Mohan added a comment - - edited Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save results same error.
          smohan08 Mohan added a comment - - edited

          Even tried by addeding below in /apache-tomcat-9.0.43/conf/tomcat-users.xml file, however still same issue.

           

          <?xml version='1.0' encoding='utf-8'?>
          <tomcat-users>
              <role rolename="manager-gui"/>
              <role rolename="manager-script"/>
              <role rolename="manager-jmx"/>
              <role rolename="manager-status"/>
              <role rolename="admin-gui"/>
              <role rolename="admin-script"/>
              <user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
          </tomcat-users>
          

           

           

          smohan08 Mohan added a comment - - edited Even tried by addeding below in /apache-tomcat-9.0.43/conf/tomcat-users.xml file, however still same issue.   <?xml version= '1.0' encoding= 'utf-8' ?> <tomcat-users>     <role rolename= "manager-gui" />     <role rolename= "manager-script" />     <role rolename= "manager-jmx" />     <role rolename= "manager-status" />     <role rolename= "admin-gui" />     <role rolename= "admin-script" />     <user username= "user" password= "password" roles= "manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script" /> </tomcat-users>    
          smohan08 Mohan added a comment -

          Any help would be much appreciated

          smohan08 Mohan added a comment - Any help would be much appreciated
          markewaite Mark Waite added a comment -

          My best suggestion is to not try to run Jenkins under tomcat. Run it as a separate application so that you don't need to wrestle with Tomcat configuration.

          If you need a reverse proxy between the user and Jenkins, consider nginx, Apache, HAProxy, or Squid as described in reverse proxy configuration.

          markewaite Mark Waite added a comment - My best suggestion is to not try to run Jenkins under tomcat. Run it as a separate application so that you don't need to wrestle with Tomcat configuration. If you need a reverse proxy between the user and Jenkins, consider nginx, Apache, HAProxy, or Squid as described in reverse proxy configuration .
          smohan08 Mohan added a comment - - edited

          We have been running our jenkins under tomcat for last 10 years until we upgrade our jenkins from 2.235.5 (LTS) to 2.263.1-LTS we had no issue.

          Sure we will consider to move out of tomcat.

          Nginx reverse proxy side seems no issues, because i have tested without nginx reverse proxy even in that too facing same problem.

          it looks CSRF is causing issue with tomcat. still digging. hopefully will sorted out.

           

          smohan08 Mohan added a comment - - edited We have been running our jenkins under tomcat for last 10 years until we upgrade our jenkins from 2.235.5 (LTS) to 2.263.1-LTS we had no issue. Sure we will consider to move out of tomcat. Nginx reverse proxy side seems no issues, because i have tested without nginx reverse proxy even in that too facing same problem. it looks CSRF is causing issue with tomcat. still digging. hopefully will sorted out.  
          smohan08 Mohan added a comment - - edited

          Tested with Jenkins - 2.235.5-LTS and with same version of apache-tomcat-9.0.43 here there is no issue.

          smohan08 Mohan added a comment - - edited Tested with Jenkins - 2.235.5-LTS and with same version of apache-tomcat-9.0.43 here there is no issue.
          degasuresh Suresh Dega added a comment -

          Hi Mohan,

          Is this issue is resolved..? Please let me know what is the fix for this...?I'm facing same issue. It will great helpfull if you provide the solution..

          degasuresh Suresh Dega added a comment - Hi Mohan, Is this issue is resolved..? Please let me know what is the fix for this...?I'm facing same issue. It will great helpfull if you provide the solution..
          dee_user Deepa TP added a comment -

          Hi Mohan,

           

          Is this issue resolved? if yes, please provide the solution. even am facing the same issue. It is taking lots of time to fix and am not understanding the root cause for this. This has been a blocker in the production environment,

          dee_user Deepa TP added a comment - Hi Mohan,   Is this issue resolved? if yes, please provide the solution. even am facing the same issue. It is taking lots of time to fix and am not understanding the root cause for this. This has been a blocker in the production environment,
          smohan08 Mohan added a comment -

          Hi Suresh & Deepa, I have solved my problem by moving my Jenkins outside of Apache.

          smohan08 Mohan added a comment - Hi Suresh & Deepa, I have solved my problem by moving my Jenkins outside of Apache.

          People

            Unassigned Unassigned
            smohan08 Mohan
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: