CSRF enabled -> Missing or bad crumb data if use Redirect to other Port

[MCMicS]

If you use an Apache with Redirect Port 80 --> 8080 and use APi Token without Crumb Token you will receive followong error:

org.codinjutsu.tools.jenkins.security.AuthenticationException: CSRF enabled -> Missing or bad crumb data
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.checkResponse(DefaultSecurityClient.java:150)
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.runMethod(DefaultSecurityClient.java:124)
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.execute(DefaultSecurityClient.java:68)
	at org.codinjutsu.tools.jenkins.logic.RequestManager.loadJenkinsView(RequestManager.java:123)
	at org.codinjutsu.tools.jenkins.logic.RequestManager.loadJenkinsView(RequestManager.java:279)
	at org.codinjutsu.tools.jenkins.view.BrowserPanel.loadJobs(BrowserPanel.java:472)

[xoleja01]

Where you can enter api token ?

[MCMicS]

In password field.

In some of next release we will document this in UI. Something like Password/Token

[xoleja01]

Thanks for such quick answer

[MCMicS]

No problem If it not work please ask again. We also have an gitter for discuss problems

[xoleja01]

I figured it out 2 seconds before I read your answer :) I was trying to fit it into crumb field...

[jep]

Update: It appears the stack trace is generated when submitting the correct, but not working crumb, and clicking OK to close the Jenkins Control Plugin configuration section, then clicking the "Refresh latest builds" button, not the Test Connection button. No stack trace is generated when clicking Test Connection, only the error message.

I'm getting the same "[Fail] CSRF enabled -> Missing or bad crumb data" but without Apache and a different stack trace.

I am running Jenkins 2.222.1 on Ubuntu 18.04. I installed IntelliJ and the Jenkins Control Plugin (0.12.0-2019.3). When I enter the crumb data from http://jenkins-url:8080/crumbIssuer/api/xml?tree=crumb and click Test Connection, I get the error.

IntelliJ IDEA Details IntelliJ IDEA 2020.1 (Community Edition) Build #IC-201.6668.121, built on April 8, 2020 Runtime version: 11.0.6+8-b765.25 amd64 VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o Linux 5.3.0-46-generic GC: ParNew, ConcurrentMarkSweep Non-Bundled Plugins: Jenkins Control Plugin, training, Stapler plugin for IntelliJ IDEA, com.thvardhan.gradianto, com.vincentp.gruvbox-theme, BashSupport, com.jetbrains.edu, some.awesome Current Desktop: MATE

Stack Trace

org.codinjutsu.tools.jenkins.security.AuthenticationException: CSRF enabled -> Missing or bad crumb data
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.checkResponse(DefaultSecurityClient.java:150)
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.runMethod(DefaultSecurityClient.java:124)
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.execute(DefaultSecurityClient.java:68)
	at org.codinjutsu.tools.jenkins.logic.RequestManager.loadJenkinsRssLatestBuilds(RequestManager.java:115)
	at org.codinjutsu.tools.jenkins.logic.RssLogic.loadAndReturnNewLatestBuilds(RssLogic.java:91)
	at org.codinjutsu.tools.jenkins.logic.RssLogic.access$000(RssLogic.java:48)
	at org.codinjutsu.tools.jenkins.logic.RssLogic$LoadLatestBuildsJob.run(RssLogic.java:189)
	at com.intellij.openapi.progress.impl.CoreProgressManager$TaskRunnable.run(CoreProgressManager.java:930)
	at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$runProcessWithProgressAsync$5(CoreProgressManager.java:432)
	at com.intellij.openapi.progress.impl.ProgressRunner.lambda$null$3(ProgressRunner.java:233)
	at com.intellij.openapi.progress.impl.CoreProgressManager.lambda$runProcess$2(CoreProgressManager.java:164)
	at com.intellij.openapi.progress.impl.CoreProgressManager.registerIndicatorAndRun(CoreProgressManager.java:625)
	at com.intellij.openapi.progress.impl.CoreProgressManager.executeProcessUnderProgress(CoreProgressManager.java:570)
	at com.intellij.openapi.progress.impl.ProgressManagerImpl.executeProcessUnderProgress(ProgressManagerImpl.java:61)
	at com.intellij.openapi.progress.impl.CoreProgressManager.runProcess(CoreProgressManager.java:151)
	at com.intellij.openapi.progress.impl.ProgressRunner.lambda$submit$4(ProgressRunner.java:233)
	at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1700)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)

Is this the appropriate location to post this, or would you prefer a new issue?

[MCMicS]

Hi @jep, since jenkins 2.176.2 the crumb not work anymore in this way. We should keep the session because:

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them

Jenkins say that;

Scripts could instead use an API token, which has not required a CSRF token (crumb) since Jenkins 2.96.

So it is recommend to use a API Token instead a password. then you can work without a crumb.

see #173

Hope it helps.

I will update the UI in one of next release to change password with API Token to clarify this

[jep]

Hi @jep, since jenkins 2.176.2 the crumb not work anymore in this way. We should keep the session because:

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them

Jenkins say that;

Scripts could instead use an API token, which has not required a CSRF token (crumb) since Jenkins 2.96.

So it is recommend to use a API Token instead a password. then you can work without a crumb.

see #173

Hope it helps.

I will update the UI in one of next release to change password with API Token to clarify this

I apologize for overlooking this. Your suggestion resolved the issue. Thank you for your quick response!

[MCMicS]

improved redirect handling with 0.13.17

If there are still issues please reopen or file new issue