问题
I recently upgraded to Jenkins 2.192, and my applications started failing with the following error:
HTTP Error 403: No valid crumb was included in the request
Reason: No valid crumb was included in the request
I do not see the problem after downgrading to Jenkins 2.189. I do not see the issue with Jenkins 2.189, 2.190, 2.191. I hit the issue with Jenkins 2.192 (also seen with 2.196)
SOMETHING CHANGED BETWEEN 2.191 AND 2.192 , causing the failure I observed.
回答1:
Refer - https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained
If you authenticate with a username and a user API token then a crumb is not needed from Jenkins 2.96 weekly/2.107 LTS. For more information please refer to CSRF crumb no longer required when authenticating using API token or JENKINS-22474.
回答2:
You now have to forward the session id (present in the cookie response that generated the crumb) every time you use that crumb. Example code, hopefully illustrates it:
async function duplicateProject() {
const jenkinsAxios = axios.create({
baseURL: 'http://jenkins_url',
auth: {
username: 'MY-USERNAME',
password: "MY-PASSWORD"
}
});
const {data: existingJobConfig} = await jenkinsAxios.get('/job/existingJob/config.xml');
const crumbIssuer = await jenkinsAxios.get('/crumbIssuer/api/json');
await jenkinsAxios.post(`/createItem?name=MY_NEW_PROJECT`, existingJobConfig, {
headers: {
'Content-Type': 'application/xml',
[crumbIssuer.data.crumbRequestField]: crumbIssuer.data.crumb,
Cookie: crumbIssuer.headers['set-cookie'][0] // <--- THIS IS KEY!!!!
}
}
);
}
回答3:
A simple solution without need of making changes to source code (validated with Jenkins v2.222):
- Install the Strict Crumb Issuer plugin (https://plugins.jenkins.io/strict-crumb-issuer/)
- Enable this plugin and uncheck 'Check the session ID' from its configuration (Under Jenkins Configure Global Security)
A drawback is that this solution makes us dependent on the Strict Crumb Issuer plugin and removes a security feature. But since our application requires many other plugins and only runs behind the firewall without Internet access, this is acceptable.
回答4:
It’s easy - and much more secure - to pass the crumb in your API calls. https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained explains everything.
Also see Ansible jenkins_plugin module returns "HTTP Error 403: No valid crumb was included in the request" for a recent change in the crumb handling in Jenkins.
回答5:
I had the same issue after upgrade to this version when queuing jenkins tasks from TFS with VSTS agents.
You can solve this temporarily by disabling CSRF security in Jenkins Server.
Just found this, may help: https://jenkins.io/doc/upgrade-guide/2.176/
来源:https://stackoverflow.com/questions/57731818/jenkins-2-192-http-error-403-no-valid-crumb-was-included-in-the-request