Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CSRF enabled -> Missing or bad crumb data if use Redirect to other Port

See original GitHub issue

If you use an Apache with Redirect Port 80 --> 8080 and use APi Token without Crumb Token you will receive followong error:

org.codinjutsu.tools.jenkins.security.AuthenticationException: CSRF enabled -> Missing or bad crumb data
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.checkResponse(DefaultSecurityClient.java:150)
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.runMethod(DefaultSecurityClient.java:124)
	at org.codinjutsu.tools.jenkins.security.DefaultSecurityClient.execute(DefaultSecurityClient.java:68)
	at org.codinjutsu.tools.jenkins.logic.RequestManager.loadJenkinsView(RequestManager.java:123)
	at org.codinjutsu.tools.jenkins.logic.RequestManager.loadJenkinsView(RequestManager.java:279)
	at org.codinjutsu.tools.jenkins.view.BrowserPanel.loadJobs(BrowserPanel.java:472)

Issue Analytics

State:
Created 3 years ago
Comments:8 (3 by maintainers)

Top GitHub Comments

4reactions

MCMicScommented, Apr 22, 2020

Hi @jep, since jenkins 2.176.2 the crumb not work anymore in this way. We should keep the session because:

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them

Jenkins say that;

Scripts could instead use an API token, which has not required a CSRF token (crumb) since Jenkins 2.96.

So it is recommend to use a API Token instead a password. then you can work without a crumb.

see #173

Hope it helps.

I will update the UI in one of next release to change password with API Token to clarify this

1reaction

jepcommented, Apr 23, 2020

Hi @jep, since jenkins 2.176.2 the crumb not work anymore in this way. We should keep the session because:

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them

Jenkins say that;

Scripts could instead use an API token, which has not required a CSRF token (crumb) since Jenkins 2.96.

So it is recommend to use a API Token instead a password. then you can work without a crumb.

see #173

Hope it helps.

I will update the UI in one of next release to change password with API Token to clarify this

I apologize for overlooking this. Your suggestion resolved the issue. Thank you for your quick response!

Top Results From Across the Web

intellij : control jenkins plugin crumb data - Stack Overflow

The test connection gives "Missing or bad crumb data"? Are you on the latest IntelliJ and Plugin version? This issue "should" not be...

Fix "No valid crumb was included in the request" error for ...

This happens because some of the Jenkins headers were in format that is not considered valid by Nginx. To Fix this issue, change...

Untitled

Blue ivy name meaning evil! Sangdong south korea, Rend lake marina rentals, Pps number of school days. Tunarama office port lincoln, Kermisattractie chaos, ......

Release Notes - Privileged Access Manager (PAM) Help

Fixed the issue with importing system data using automation scripts when ... to specify SSL ciphers for the WEB Session Manager listening port...

FortiWeb 4.0 MR4 Administration Guide, 6th Edition

GUI for recursive URL decoding — You can now use FortiWeb's GUI to enable ... If the vending machine had no notion of...