Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64933

Configure Systems - Apply and Save not working with tomcat

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • core
    • Jenkins version is 2.263.1-LTS
      Java Version - openjdk version "1.8.0_275"
      OS - CentOS -8.2
      Apache-tomcat-9.0.30
      Reverse proxy running in-front of Jenkins.

       Under Manage Jenkins --> Configure Systems section, if i click apply or save button it shows below error on browser(Firefox, Chrome). I cannot Apply (Or) Save any configuration due to below errors.

      HTTP Status 403 – Forbidden

      Type Status Report

      Message No valid crumb was included in the request

      Description The server understood the request but refuses to authorize it. Apache Tomcat/9.0.30

       Do i need to add any additional configuration in my tomcat side? Please let me know.

       

        1. 2.png
          2.png
          9 kB
        2. 1.png
          1.png
          4 kB

          [JENKINS-64933] Configure Systems - Apply and Save not working with tomcat

          Mohan added a comment -

          Same problem even in Jenkins 2.263.4, apache-tomcat-9.0.43 and openjdk version "1.8.0_282 as well.

          Mohan added a comment - Same problem even in Jenkins 2.263.4, apache-tomcat-9.0.43 and openjdk version "1.8.0_282 as well.

          Mohan added a comment - - edited

          Solution tried :-

          1) Under Configure Global security --> CSRF Protection -->Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even after this also didn't work.
3) Installed the Strict Crumb Issuer plugin. Enabled this plugin and uncheck Check the session ID from its configuration (Under Jenkins Configure Global Security). 
4) Restated the Jenkins.


          01-Mar-2021 08:12:10.604 WARNING [Handling POST /jenkins/configSubmit from 45.46.58.59 : http-nio-8080-exec-2] hudson.security.csrf.CrumbFilter.doFilter No valid crumb was included in request for /jenkins/configSubmit by sumit.mital. Returning 403.

          Still same problem persists.

          Mohan added a comment - - edited Solution tried :- 1) Under Configure Global security --> CSRF Protection -->Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command. 2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even after this also didn't work. 3) Installed the Strict Crumb Issuer plugin. Enabled this plugin and uncheck Check the session ID from its configuration (Under Jenkins Configure Global Security). 4) Restated the Jenkins. 01-Mar-2021 08:12:10.604 WARNING [Handling POST /jenkins/configSubmit from 45.46.58.59 : http-nio-8080-exec-2] hudson.security.csrf.CrumbFilter.doFilter No valid crumb was included in request for /jenkins/configSubmit by sumit.mital. Returning 403. Still same problem persists.

          Mohan added a comment - - edited

          Jenkins > Manage Jenkins > Configure Global Security > CSRF Protection - Default Crumb Issuer tried by ticked and Un-ticked the Enable Proxy Compatibility.  But no success. still getting same error.

          Mohan added a comment - - edited Jenkins > Manage Jenkins > Configure Global Security > CSRF Protection - Default Crumb Issuer tried by ticked and Un-ticked the Enable Proxy Compatibility .  But no success. still getting same error.

          Mohan added a comment - - edited

          Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save results same error.

          Mohan added a comment - - edited Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save results same error.

          Mohan added a comment - - edited

          Even tried by addeding below in /apache-tomcat-9.0.43/conf/tomcat-users.xml file, however still same issue.

           

          <?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
    <role rolename="manager-gui"/>
    <role rolename="manager-script"/>
    <role rolename="manager-jmx"/>
    <role rolename="manager-status"/>
    <role rolename="admin-gui"/>
    <role rolename="admin-script"/>
    <user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>

           

           

          Mohan added a comment - - edited Even tried by addeding below in /apache-tomcat-9.0.43/conf/tomcat-users.xml file, however still same issue.   <?xml version= '1.0' encoding= 'utf-8' ?> <tomcat-users>     <role rolename= "manager-gui" />     <role rolename= "manager-script" />     <role rolename= "manager-jmx" />     <role rolename= "manager-status" />     <role rolename= "admin-gui" />     <role rolename= "admin-script" />     <user username= "user" password= "password" roles= "manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script" /> </tomcat-users>    

          Mohan added a comment -

          Any help would be much appreciated

          Mohan added a comment - Any help would be much appreciated

          Mark Waite added a comment -

          My best suggestion is to not try to run Jenkins under tomcat. Run it as a separate application so that you don't need to wrestle with Tomcat configuration.

          If you need a reverse proxy between the user and Jenkins, consider nginx, Apache, HAProxy, or Squid as described in reverse proxy configuration.

          Mark Waite added a comment - My best suggestion is to not try to run Jenkins under tomcat. Run it as a separate application so that you don't need to wrestle with Tomcat configuration. If you need a reverse proxy between the user and Jenkins, consider nginx, Apache, HAProxy, or Squid as described in reverse proxy configuration .

          Mohan added a comment - - edited

          We have been running our jenkins under tomcat for last 10 years until we upgrade our jenkins from 2.235.5 (LTS) to 2.263.1-LTS we had no issue.

          Sure we will consider to move out of tomcat.

          Nginx reverse proxy side seems no issues, because i have tested without nginx reverse proxy even in that too facing same problem.

          it looks CSRF is causing issue with tomcat. still digging. hopefully will sorted out.

           

          Mohan added a comment - - edited We have been running our jenkins under tomcat for last 10 years until we upgrade our jenkins from 2.235.5 (LTS) to 2.263.1-LTS we had no issue. Sure we will consider to move out of tomcat. Nginx reverse proxy side seems no issues, because i have tested without nginx reverse proxy even in that too facing same problem. it looks CSRF is causing issue with tomcat. still digging. hopefully will sorted out.  

          Mohan added a comment - - edited

          Tested with Jenkins - 2.235.5-LTS and with same version of apache-tomcat-9.0.43 here there is no issue.

          Mohan added a comment - - edited Tested with Jenkins - 2.235.5-LTS and with same version of apache-tomcat-9.0.43 here there is no issue.

          Suresh Dega added a comment -

          Hi Mohan,

          Is this issue is resolved..? Please let me know what is the fix for this...?I'm facing same issue. It will great helpfull if you provide the solution..

          Suresh Dega added a comment - Hi Mohan, Is this issue is resolved..? Please let me know what is the fix for this...?I'm facing same issue. It will great helpfull if you provide the solution..

          Deepa TP added a comment -

          Hi Mohan,

           

          Is this issue resolved? if yes, please provide the solution. even am facing the same issue. It is taking lots of time to fix and am not understanding the root cause for this. This has been a blocker in the production environment,

          Deepa TP added a comment - Hi Mohan,   Is this issue resolved? if yes, please provide the solution. even am facing the same issue. It is taking lots of time to fix and am not understanding the root cause for this. This has been a blocker in the production environment,

          Mohan added a comment -

          Hi Suresh & Deepa, I have solved my problem by moving my Jenkins outside of Apache.

          Mohan added a comment - Hi Suresh & Deepa, I have solved my problem by moving my Jenkins outside of Apache.

            Unassigned Unassigned
            smohan08 Mohan
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: