Jenkins: 403 No valid crumb was included in the request

Question

I configured jenkins in spinnaker as follows and setup spinnaker pipeline.

 jenkins:
    # If you are integrating Jenkins, set its location here using the bas         


        

Answer 1

This solution is SAFE to use

came along this issue when we changed jenkins to be accessible via reverse proxy.

There is an option in the "Configure Global Security" that "Enable proxy compatibility" This helped with my issue.

Answer 2

For the new release of Jenkins you should follow the solution below:

https://jenkins.io/doc/upgrade-guide/2.176/#upgrading-to-jenkins-lts-2-176-3

Upgrading to Jenkins 2.176.2 Improved CSRF protection

SECURITY-626

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them. Scripts that obtain a crumb using the /crumbIssuer/api URL will now fail to perform actions protected from CSRF unless the scripts retain the web session ID in subsequent requests. Scripts could instead use an API token, which has not required a CSRF token (crumb) since Jenkins 2.96.

To disable this improvement you can set the system property hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true. Alternatively, you can install the Strict Crumb Issuer Plugin which provides more options to customize the crumb validation. It allows excluding the web session ID from the validation criteria, and instead e.g. replacing it with time-based expiration for similar (or even better) protection from CSRF

In my case helped installation of the Strict Crumb Issuer Plugin, rebooting jenkins and applying a less strict policy for the web interface of Jenkins as it is suggested on the vendor's site.

Answer 3

For java codes to access Jenkins API I will let my advise.

The answer of @Santhosh (https://stackoverflow.com/a/60221003/5940655) do resolve the problem, that consists in changing tbe password for token, but as far as I know, token now is a legacy manner to do it. So I tried other way, and find out a solution inside java code.

Here how I did it. In my java code I use "com.offbytwo.jenkins" package and the class that I use is "JenkinsServer".

My problem was to create a job in jenkins because I was getting error: "403 No valid crumb was included in request"

Then I found a boolean parameter called crumbFlag and passed "true" on it and everything worked.

My code was like this:

jenkins.createJob(job.getName(), config);

Then, I changed for this ans worked like a charm:

jenkins.createJob(job.getName(), config, true);

This parameter is inside almost all methods of this package, by example:

• createJob(String jobName, String jobXml, Boolean crumbFlag)
• updateJob(String jobName, String jobXml, boolean crumbFlag)
• renameJob(String oldJobName, String newJobName, Boolean crumbFlag)
• Others.

The technical documentation inside the code is:

@param crumbFlag true to add crumbIssuer * false otherwise.

I understood if you pass "true" for this parameter it will issue a crumb automatically.

Well, the official documentation has this information on details, if you wish, take a look here:

https://javadoc.io/doc/com.offbytwo.jenkins/jenkins-client/latest/com/offbytwo/jenkins/JenkinsServer.html

Answer 4

Finally, this post helped me to do away with the crumb problem but still securing Jenkins from CSRF attack.

Solution for no-valid crumb included in the request issue

Basically, we need to first request for crumb with authentication and then issue POST api calls with crumb as a header along with authentication again.

This is how I did it,

curl -v -X GET http://jenkins-url:8080/crumbIssuer/api/json --user <username>:<password>

Response was,

{
"_class":"hudson.security.csrf.DefaultCrumbIssuer",
"crumb":"0db38413bd7ec9e98974f5213f7ead8b",
"crumbRequestField":"Jenkins-Crumb"
}

Then the POST api with above crumb information in it.

curl -X POST http://jenkins-url:8080/job/<job-name>/build --user <username>:<password> -H 'Jenkins-Crumb: 0db38413bd7ec9e98974f5213f7ead8b'