Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34254

Shutdown of jenkins via the /exit URL doesn't work in 2.0 b/c of 403

    Details

    • Similar Issues:

      Description

      1) Start jenkins from WAR, giving a JENKINS_HOME directory
      2) Install initial plugins and create an admin user (probably not needed), then restart and log in
      3) Try to exit jenkins the "right" way by visiting http://localhost:8080/exit
      4) Click the "try POST" button
      5) See attached 403 error message:

        Attachments

          Issue Links

            Activity

            svanoort Sam Van Oort created issue -
            svanoort Sam Van Oort made changes -
            Field Original Value New Value
            Summary Shutdown of jenkins via the /exit URL doesn't work in 2.0 due to crumb issue Shutdown of jenkins via the /exit URL doesn't work in 2.0 b/c of 403
            Description 1) Start jenkins from WAR, giving a JENKINS_HOME directory
            2) Install initial plugins and create an admin user (probably not needed)
            3) Try to exit jenkins the "right" way by visiting http://localhost:8080/exit
            4) Click the "try POST" button
            5) See attached 403 error message:

            !Screen Shot 2016-04-14 at 3.11.15 PM.png|thumbnail!
            1) Start jenkins from WAR, giving a JENKINS_HOME directory
            2) Install initial plugins and create an admin user (probably not needed), then restart and log in
            3) Try to exit jenkins the "right" way by visiting http://localhost:8080/exit
            4) Click the "try POST" button
            5) See attached 403 error message:

            !Screen Shot 2016-04-14 at 3.11.15 PM.png|thumbnail!
            Hide
            danielbeck Daniel Beck added a comment -

            Yes. CSRF protection breaks the 'Use POST' workaround. Looks like it needs to have a GET based UI, like /restart and /safeRestart have.

            /safeExit is also affected. I never understood this inconsistency, it's time we clean it up.

            Not a 2.0 specific thing, it's just that we default the CSRF option to on in 2.0.

            Show
            danielbeck Daniel Beck added a comment - Yes. CSRF protection breaks the 'Use POST' workaround. Looks like it needs to have a GET based UI, like /restart and /safeRestart have. /safeExit is also affected. I never understood this inconsistency, it's time we clean it up. Not a 2.0 specific thing, it's just that we default the CSRF option to on in 2.0.
            swashbuck1r Spike Washburn made changes -
            Assignee Keith Zantow [ kzantow ]
            swashbuck1r Spike Washburn made changes -
            Labels 2.0 2.0-rc testfest 2.0 2.0-planned 2.0-rc testfest
            kzantow Keith Zantow made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            kzantow Keith Zantow made changes -
            Remote Link This issue links to "PR 2268 (Web Link)" [ 14210 ]
            Hide
            kzantow Keith Zantow added a comment -

            Daniel Beck I don't think this is critical for 2.0, but the change in the PR is pretty isolated and could fairly easily be cherry-picked, if needed.

            Show
            kzantow Keith Zantow added a comment - Daniel Beck I don't think this is critical for 2.0, but the change in the PR is pretty isolated and could fairly easily be cherry-picked, if needed.
            Hide
            danielbeck Daniel Beck added a comment -

            Not a regression in 2.0, and I don't expect this is an often used feature. Therefore 2.1+ should be good enough.

            Show
            danielbeck Daniel Beck added a comment - Not a regression in 2.0, and I don't expect this is an often used feature. Therefore 2.1+ should be good enough.
            danielbeck Daniel Beck made changes -
            Labels 2.0 2.0-planned 2.0-rc testfest 2.0 2.0-rc testfest
            kzantow Keith Zantow made changes -
            Remote Link This issue links to "Stapler PR 73 (Web Link)" [ 14244 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 170316 ] JNJira + In-Review [ 185721 ]
            kzantow Keith Zantow made changes -
            Status In Progress [ 3 ] Open [ 1 ]
            danielbeck Daniel Beck made changes -
            Link This issue is duplicated by JENKINS-38954 [ JENKINS-38954 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Or maybe 2.51

            Show
            oleg_nenashev Oleg Nenashev added a comment - Or maybe 2.51
            Hide
            wilson_ds_net Brian Wilson added a comment -

            I use this all the time with start/stop scripts. This really should not have been allowed to slip through the cracks and needs to be fixed asap.

            Show
            wilson_ds_net Brian Wilson added a comment - I use this all the time with start/stop scripts. This really should not have been allowed to slip through the cracks and needs to be fixed asap.
            Hide
            jglick Jesse Glick added a comment -

            Scripts need merely send a POST request. Or you can use the CLI.

            Show
            jglick Jesse Glick added a comment - Scripts need merely send a POST request. Or you can use the CLI.
            Hide
            danielbeck Daniel Beck added a comment - - edited

            Jesse Glick Well, there's a difference between RequirePOST and POST in that the former offers a workaround to enable interactive use, but it's clearly broken.

            Show
            danielbeck Daniel Beck added a comment - - edited Jesse Glick Well, there's a difference between RequirePOST and POST in that the former offers a workaround to enable interactive use, but it's clearly broken.
            Hide
            jglick Jesse Glick added a comment -

            Not disagreeing, just responding to Brian Wilson’s comment, which was about scripts rather than interactive use if I understand it correctly.

            Show
            jglick Jesse Glick added a comment - Not disagreeing, just responding to Brian Wilson ’s comment, which was about scripts rather than interactive use if I understand it correctly.
            Hide
            alonbl Alon Bar-Lev added a comment -

            Please fix, it is the only way to restart jenkins if running under systemd.

            Show
            alonbl Alon Bar-Lev added a comment - Please fix, it is the only way to restart jenkins if running under systemd.
            danielbeck Daniel Beck made changes -
            Link This issue is related to JENKINS-47043 [ JENKINS-47043 ]
            danielbeck Daniel Beck made changes -
            Link This issue blocks SECURITY-620 [ SECURITY-620 ]
            kzantow Keith Zantow made changes -
            Assignee Keith Zantow [ kzantow ]
            danielbeck Daniel Beck made changes -
            Labels 2.0 2.0-rc testfest 2.0 2.0-rc lts-candidate testfest
            danielbeck Daniel Beck made changes -
            Remote Link This issue links to "PR 3187 (Web Link)" [ 19405 ]
            danielbeck Daniel Beck made changes -
            Remote Link This issue links to "Stapler PR 135 (Web Link)" [ 19406 ]
            Hide
            danielbeck Daniel Beck added a comment -

            Not sure whether this qualifies as lts-candidate given the age, but it's annoying and might get some users to choose insecurity over inconvenience.

            Show
            danielbeck Daniel Beck added a comment - Not sure whether this qualifies as lts-candidate given the age, but it's annoying and might get some users to choose insecurity over inconvenience.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/pom.xml
            core/src/main/java/hudson/security/csrf/CrumbFilter.java
            core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
            core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties
            http://jenkins-ci.org/commit/jenkins/e20b0496149669f3a0f05cabd1a06eb3a469e935
            Log:
            JENKINS-34254 Fix RequirePOST form

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/pom.xml core/src/main/java/hudson/security/csrf/CrumbFilter.java core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties http://jenkins-ci.org/commit/jenkins/e20b0496149669f3a0f05cabd1a06eb3a469e935 Log: JENKINS-34254 Fix RequirePOST form
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
            http://jenkins-ci.org/commit/jenkins/b27bb928a28ee578122eb4b076c8a3d8d68d878c
            Log:
            JENKINS-34254 Set HTTP status code for view

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly http://jenkins-ci.org/commit/jenkins/b27bb928a28ee578122eb4b076c8a3d8d68d878c Log: JENKINS-34254 Set HTTP status code for view
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/security/csrf/CrumbFilter.java
            http://jenkins-ci.org/commit/jenkins/2f45a2332b96a133ef269e2b621617016c98fdfa
            Log:
            JENKINS-34254 Adapt to upstream change using ServiceLoader

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/csrf/CrumbFilter.java http://jenkins-ci.org/commit/jenkins/2f45a2332b96a133ef269e2b621617016c98fdfa Log: JENKINS-34254 Adapt to upstream change using ServiceLoader
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/pom.xml
            http://jenkins-ci.org/commit/jenkins/3c695a3ed6836abce19c0c71eeca418f0fe9fd66
            Log:
            JENKINS-34254 Use released Stapler 1.254

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/pom.xml http://jenkins-ci.org/commit/jenkins/3c695a3ed6836abce19c0c71eeca418f0fe9fd66 Log: JENKINS-34254 Use released Stapler 1.254
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
            test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
            http://jenkins-ci.org/commit/jenkins/f0efdbab087ea26342a034da198d055bd7141b8a
            Log:
            JENKINS-34254 Add test

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/jenkins/f0efdbab087ea26342a034da198d055bd7141b8a Log: JENKINS-34254 Add test
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/pom.xml
            core/src/main/java/hudson/security/csrf/CrumbFilter.java
            core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
            core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties
            test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
            http://jenkins-ci.org/commit/jenkins/76c9f8beacc681663571c925b5ee090222407e34
            Log:
            Merge pull request #3187 from daniel-beck/JENKINS-34254-v2

            JENKINS-34254 Fix RequirePOST form

            Compare: https://github.com/jenkinsci/jenkins/compare/814d202716a6...76c9f8beacc6

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/pom.xml core/src/main/java/hudson/security/csrf/CrumbFilter.java core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/jenkins/76c9f8beacc681663571c925b5ee090222407e34 Log: Merge pull request #3187 from daniel-beck/ JENKINS-34254 -v2 JENKINS-34254 Fix RequirePOST form Compare: https://github.com/jenkinsci/jenkins/compare/814d202716a6...76c9f8beacc6
            danielbeck Daniel Beck made changes -
            Assignee Daniel Beck [ danielbeck ]
            Hide
            danielbeck Daniel Beck added a comment -

            Fixed towards 2.96.

            Show
            danielbeck Daniel Beck added a comment - Fixed towards 2.96.
            danielbeck Daniel Beck made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            olivergondza Oliver Gondža made changes -
            Labels 2.0 2.0-rc lts-candidate testfest 2.0 2.0-rc 2.89.3-rejected lts-candidate testfest
            Hide
            olivergondza Oliver Gondža added a comment -

            Given how long was it broken, there is no rush in expediting this into LTS. Will not be in .3.

            Show
            olivergondza Oliver Gondža added a comment - Given how long was it broken, there is no rush in expediting this into LTS. Will not be in .3.
            olivergondza Oliver Gondža made changes -
            Labels 2.0 2.0-rc 2.89.3-rejected lts-candidate testfest 2.0 2.0-rc 2.89.3-rejected 2.89.4-fixed lts-candidate testfest
            olivergondza Oliver Gondža made changes -
            Labels 2.0 2.0-rc 2.89.3-rejected 2.89.4-fixed lts-candidate testfest 2.0 2.0-rc 2.89.3-rejected 2.89.4-fixed testfest
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/pom.xml
            core/src/main/java/hudson/security/csrf/CrumbFilter.java
            core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
            core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties
            test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java
            http://jenkins-ci.org/commit/jenkins/bed6ccd71921c9321919f7a042864dbbbf63243a
            Log:
            Merge pull request #3187 from daniel-beck/JENKINS-34254-v2

            JENKINS-34254 Fix RequirePOST form

            (cherry picked from commit 76c9f8beacc681663571c925b5ee090222407e34)

            Compare: https://github.com/jenkinsci/jenkins/compare/2904044e5105...bed6ccd71921

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/pom.xml core/src/main/java/hudson/security/csrf/CrumbFilter.java core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.properties test/src/test/java/hudson/security/csrf/DefaultCrumbIssuerTest.java http://jenkins-ci.org/commit/jenkins/bed6ccd71921c9321919f7a042864dbbbf63243a Log: Merge pull request #3187 from daniel-beck/ JENKINS-34254 -v2 JENKINS-34254 Fix RequirePOST form (cherry picked from commit 76c9f8beacc681663571c925b5ee090222407e34) Compare: https://github.com/jenkinsci/jenkins/compare/2904044e5105...bed6ccd71921

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                svanoort Sam Van Oort
              • Votes:
                4 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: