JavaScriptMethod & 403 - No valid crumb was included in the request

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

JavaScriptMethod & 403 - No valid crumb was included in the request

Shaun Thompson
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/80c85b1d-9b61-45e7-9d1a-56fff340bcc4n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Shaun Thompson
After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Ulli Hafner
I’m on 2.254 and there everything looks good on the JS side.  

Can you see the JUnit or warnings trend charts? They use @JavaScriptMethod as well. 

Am 28.08.2020 um 22:06 schrieb Shaun Thompson <[hidden email]>:

After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/4D03CDEA-EC30-4647-B991-E5503F11833E%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Shaun Thompson
At least for the JUnit plugin they are referencing an older version of Jenkins.

Looking at org/kohsuke/stapler/bind.js shows the following:

            if(window.jQuery === window.$) { //Is jQuery the active framework?
                $.ajax({
                    type: "POST",
                    url: url+methodName,
                    data: stringify(a),
                    contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
                    headers: {'Crumb':crumb},
                    dataType: "json",
                    success: function(data, textStatus, jqXHR) {
                        if (callback!=null) {
                            var t = {};
                            t.responseObject = function() {
                                return data;
                            };
                            callback(t);
                        }
                    }
                });
            } else { //Assume prototype should work
                new Ajax.Request(url+methodName, {
                    method: 'post',
                    requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
                    postBody: stringify(a),
                    onSuccess: function(t) {
                        if (callback!=null) {
                            t.responseObject = function() {
                                return eval('('+this.responseText+')');
                            };
                            callback(t);
                        }
                    }
                });
            }


On Friday, August 28, 2020 at 3:20:58 PM UTC-5 [hidden email] wrote:
I’m on 2.254 and there everything looks good on the JS side.  

Can you see the JUnit or warnings trend charts? They use @JavaScriptMethod as well. 

Am 28.08.2020 um 22:06 schrieb Shaun Thompson <[hidden email]>:

After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/8d31eb09-564a-42a0-a8ff-1bdaac6f25bbn%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Ulli Hafner


Am 28.08.2020 um 22:33 schrieb Shaun Thompson <[hidden email]>:

At least for the JUnit plugin they are referencing an older version of Jenkins.


The compile time dependency is < 2.250, yes. But it will replaced with the version you actually installed in Jenkins. But can you see the chart? Can you upgrade to 2.254 and retry? 

Looking at org/kohsuke/stapler/bind.js shows the following:

            if(window.jQuery === window.$) { //Is jQuery the active framework?
                $.ajax({
                    type: "POST",
                    url: url+methodName,
                    data: stringify(a),
                    contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
                    headers: {'Crumb':crumb},
                    dataType: "json",
                    success: function(data, textStatus, jqXHR) {
                        if (callback!=null) {
                            var t = {};
                            t.responseObject = function() {
                                return data;
                            };
                            callback(t);
                        }
                    }
                });
            } else { //Assume prototype should work
                new Ajax.Request(url+methodName, {
                    method: 'post',
                    requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
                    postBody: stringify(a),
                    onSuccess: function(t) {
                        if (callback!=null) {
                            t.responseObject = function() {
                                return eval('('+this.responseText+')');
                            };
                            callback(t);
                        }
                    }
                });
            }


On Friday, August 28, 2020 at 3:20:58 PM UTC-5 ullrich...@gmail.com wrote:
I’m on 2.254 and there everything looks good on the JS side.  

Can you see the JUnit or warnings trend charts? They use @JavaScriptMethod as well. 

Am 28.08.2020 um 22:06 schrieb Shaun Thompson <sth...@...>:

After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@....
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/8d31eb09-564a-42a0-a8ff-1bdaac6f25bbn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CC4300BE-5A55-4E53-801D-93F6DB20F2C2%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Shaun Thompson
Upgraded to 2.254 and now my plugin isn't loaded on startup but is shown as installed on the manage plugins page. 

The source posted above still appears to be the same for 2.254 so I assume the problem still persists.

Once I figure out why my plugin isn't loading I'll test again.

On Friday, August 28, 2020 at 3:41:11 PM UTC-5 [hidden email] wrote:

Am 28.08.2020 um 22:33 schrieb Shaun Thompson <[hidden email]>:

At least for the JUnit plugin they are referencing an older version of Jenkins.


The compile time dependency is < 2.250, yes. But it will replaced with the version you actually installed in Jenkins. But can you see the chart? Can you upgrade to 2.254 and retry? 

Looking at org/kohsuke/stapler/bind.js shows the following:

            if(window.jQuery === window.$) { //Is jQuery the active framework?
                $.ajax({
                    type: "POST",
                    url: url+methodName,
                    data: stringify(a),
                    contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
                    headers: {'Crumb':crumb},
                    dataType: "json",
                    success: function(data, textStatus, jqXHR) {
                        if (callback!=null) {
                            var t = {};
                            t.responseObject = function() {
                                return data;
                            };
                            callback(t);
                        }
                    }
                });
            } else { //Assume prototype should work
                new Ajax.Request(url+methodName, {
                    method: 'post',
                    requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
                    postBody: stringify(a),
                    onSuccess: function(t) {
                        if (callback!=null) {
                            t.responseObject = function() {
                                return eval('('+this.responseText+')');
                            };
                            callback(t);
                        }
                    }
                });
            }


On Friday, August 28, 2020 at 3:20:58 PM UTC-5 ullrich...@gmail.com wrote:
I’m on 2.254 and there everything looks good on the JS side.  

Can you see the JUnit or warnings trend charts? They use @JavaScriptMethod as well. 

Am 28.08.2020 um 22:06 schrieb Shaun Thompson <[hidden email]>:

After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3ab8d8d4-7bb2-4924-ba91-a1ecdd0d8e88n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Shaun Thompson
So the JUnit plugin JavaScript method works as it adds both `Crumb` and `Jenkins-Crumb` to the outgoing request headers.

This method is invoked through the echarts API but I haven't found any reference yet where it would append to the request headers.

On Friday, August 28, 2020 at 4:28:13 PM UTC-5 Shaun Thompson wrote:
Upgraded to 2.254 and now my plugin isn't loaded on startup but is shown as installed on the manage plugins page. 

The source posted above still appears to be the same for 2.254 so I assume the problem still persists.

Once I figure out why my plugin isn't loading I'll test again.

On Friday, August 28, 2020 at 3:41:11 PM UTC-5 [hidden email] wrote:

Am 28.08.2020 um 22:33 schrieb Shaun Thompson <[hidden email]>:

At least for the JUnit plugin they are referencing an older version of Jenkins.


The compile time dependency is < 2.250, yes. But it will replaced with the version you actually installed in Jenkins. But can you see the chart? Can you upgrade to 2.254 and retry? 

Looking at org/kohsuke/stapler/bind.js shows the following:

            if(window.jQuery === window.$) { //Is jQuery the active framework?
                $.ajax({
                    type: "POST",
                    url: url+methodName,
                    data: stringify(a),
                    contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
                    headers: {'Crumb':crumb},
                    dataType: "json",
                    success: function(data, textStatus, jqXHR) {
                        if (callback!=null) {
                            var t = {};
                            t.responseObject = function() {
                                return data;
                            };
                            callback(t);
                        }
                    }
                });
            } else { //Assume prototype should work
                new Ajax.Request(url+methodName, {
                    method: 'post',
                    requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
                    postBody: stringify(a),
                    onSuccess: function(t) {
                        if (callback!=null) {
                            t.responseObject = function() {
                                return eval('('+this.responseText+')');
                            };
                            callback(t);
                        }
                    }
                });
            }


On Friday, August 28, 2020 at 3:20:58 PM UTC-5 ullrich...@gmail.com wrote:
I’m on 2.254 and there everything looks good on the JS side.  

Can you see the JUnit or warnings trend charts? They use @JavaScriptMethod as well. 

Am 28.08.2020 um 22:06 schrieb Shaun Thompson <[hidden email]>:

After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/264cd67c-2552-45a8-ae94-85068a95eb54n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Shaun Thompson
So the difference between the JUnit @JavaScriptMethod and mine is that, I'm using jQuery.

bind.js in the JUnit scenario will use  Ajax.Request which has a patch in prototype.js that adds the additional header `Jenkins-Crumb` 

// KK patch -- handle crumb for POST automatically by adding a header
    if(this.options.method=="post") {
        if(this.options.requestHeaders==undefined)
            this.options.requestHeaders = {};
        crumb.wrap(this.options.requestHeaders);
    }
// KK patch until here

For now I'll use the startup param -Dhudson.security.csrf.requestfield=Crumb to work past this.

On Friday, August 28, 2020 at 9:28:12 PM UTC-5 Shaun Thompson wrote:
So the JUnit plugin JavaScript method works as it adds both `Crumb` and `Jenkins-Crumb` to the outgoing request headers.

This method is invoked through the echarts API but I haven't found any reference yet where it would append to the request headers.

On Friday, August 28, 2020 at 4:28:13 PM UTC-5 Shaun Thompson wrote:
Upgraded to 2.254 and now my plugin isn't loaded on startup but is shown as installed on the manage plugins page. 

The source posted above still appears to be the same for 2.254 so I assume the problem still persists.

Once I figure out why my plugin isn't loading I'll test again.

On Friday, August 28, 2020 at 3:41:11 PM UTC-5 [hidden email] wrote:

Am 28.08.2020 um 22:33 schrieb Shaun Thompson <[hidden email]>:

At least for the JUnit plugin they are referencing an older version of Jenkins.


The compile time dependency is < 2.250, yes. But it will replaced with the version you actually installed in Jenkins. But can you see the chart? Can you upgrade to 2.254 and retry? 

Looking at org/kohsuke/stapler/bind.js shows the following:

            if(window.jQuery === window.$) { //Is jQuery the active framework?
                $.ajax({
                    type: "POST",
                    url: url+methodName,
                    data: stringify(a),
                    contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
                    headers: {'Crumb':crumb},
                    dataType: "json",
                    success: function(data, textStatus, jqXHR) {
                        if (callback!=null) {
                            var t = {};
                            t.responseObject = function() {
                                return data;
                            };
                            callback(t);
                        }
                    }
                });
            } else { //Assume prototype should work
                new Ajax.Request(url+methodName, {
                    method: 'post',
                    requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
                    postBody: stringify(a),
                    onSuccess: function(t) {
                        if (callback!=null) {
                            t.responseObject = function() {
                                return eval('('+this.responseText+')');
                            };
                            callback(t);
                        }
                    }
                });
            }


On Friday, August 28, 2020 at 3:20:58 PM UTC-5 ullrich...@gmail.com wrote:
I’m on 2.254 and there everything looks good on the JS side.  

Can you see the JUnit or warnings trend charts? They use @JavaScriptMethod as well. 

Am 28.08.2020 um 22:06 schrieb Shaun Thompson <[hidden email]>:

After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ece402df-f2c1-4400-b422-0215b93f5aa0n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Ulli Hafner
I see. Then this is a bug indeed. 

Am 29.08.2020 um 04:58 schrieb Shaun Thompson <[hidden email]>:

So the difference between the JUnit @JavaScriptMethod and mine is that, I'm using jQuery.

bind.js in the JUnit scenario will use  Ajax.Request which has a patch in prototype.js that adds the additional header `Jenkins-Crumb` 

// KK patch -- handle crumb for POST automatically by adding a header
    if(this.options.method=="post") {
        if(this.options.requestHeaders==undefined)
            this.options.requestHeaders = {};
        crumb.wrap(this.options.requestHeaders);
    }
// KK patch until here

For now I'll use the startup param -Dhudson.security.csrf.requestfield=Crumb to work past this.

On Friday, August 28, 2020 at 9:28:12 PM UTC-5 Shaun Thompson wrote:
So the JUnit plugin JavaScript method works as it adds both `Crumb` and `Jenkins-Crumb` to the outgoing request headers.

This method is invoked through the echarts API but I haven't found any reference yet where it would append to the request headers.

On Friday, August 28, 2020 at 4:28:13 PM UTC-5 Shaun Thompson wrote:
Upgraded to 2.254 and now my plugin isn't loaded on startup but is shown as installed on the manage plugins page. 

The source posted above still appears to be the same for 2.254 so I assume the problem still persists.

Once I figure out why my plugin isn't loading I'll test again.

On Friday, August 28, 2020 at 3:41:11 PM UTC-5 [hidden email] wrote:

Am 28.08.2020 um 22:33 schrieb Shaun Thompson <[hidden email]>:

At least for the JUnit plugin they are referencing an older version of Jenkins.


The compile time dependency is < 2.250, yes. But it will replaced with the version you actually installed in Jenkins. But can you see the chart? Can you upgrade to 2.254 and retry? 

Looking at org/kohsuke/stapler/bind.js shows the following:

            if(window.jQuery === window.$) { //Is jQuery the active framework?
                $.ajax({
                    type: "POST",
                    url: url+methodName,
                    data: stringify(a),
                    contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
                    headers: {'Crumb':crumb},
                    dataType: "json",
                    success: function(data, textStatus, jqXHR) {
                        if (callback!=null) {
                            var t = {};
                            t.responseObject = function() {
                                return data;
                            };
                            callback(t);
                        }
                    }
                });
            } else { //Assume prototype should work
                new Ajax.Request(url+methodName, {
                    method: 'post',
                    requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
                    postBody: stringify(a),
                    onSuccess: function(t) {
                        if (callback!=null) {
                            t.responseObject = function() {
                                return eval('('+this.responseText+')');
                            };
                            callback(t);
                        }
                    }
                });
            }


On Friday, August 28, 2020 at 3:20:58 PM UTC-5 ullrich...@gmail.com wrote:
I’m on 2.254 and there everything looks good on the JS side.  

Can you see the JUnit or warnings trend charts? They use @JavaScriptMethod as well. 

Am 28.08.2020 um 22:06 schrieb Shaun Thompson <[hidden email]>:

After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')


-- 
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.


-- 
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

-- 
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ece402df-f2c1-4400-b422-0215b93f5aa0n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/F00A0604-30F2-4652-A339-F73DAF20EB67%40gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: JavaScriptMethod & 403 - No valid crumb was included in the request

Ulli Hafner

I can confirm the bug. It seems that actually something in the latest Jenkins versions changed that get Ajax calls blocked that worked before (latest LTS works fine). Ajax works on the job page (trend charts) but not on individual plugin views that use JS (and jQuery). E.g. my warnings plugin tables will now be blocked with the same error message (no valid crumb in request).

Has anybody an idea when such a change has been integrated? 


Am 29.08.2020 um 09:58 schrieb Ullrich Hafner <[hidden email]>:

I see. Then this is a bug indeed. 

Am 29.08.2020 um 04:58 schrieb Shaun Thompson <[hidden email]>:

So the difference between the JUnit @JavaScriptMethod and mine is that, I'm using jQuery.

bind.js in the JUnit scenario will use  Ajax.Request which has a patch in prototype.js that adds the additional header `Jenkins-Crumb` 

// KK patch -- handle crumb for POST automatically by adding a header
    if(this.options.method=="post") {
        if(this.options.requestHeaders==undefined)
            this.options.requestHeaders = {};
        crumb.wrap(this.options.requestHeaders);
    }
// KK patch until here

For now I'll use the startup param -Dhudson.security.csrf.requestfield=Crumb to work past this.

On Friday, August 28, 2020 at 9:28:12 PM UTC-5 Shaun Thompson wrote:
So the JUnit plugin JavaScript method works as it adds both `Crumb` and `Jenkins-Crumb` to the outgoing request headers.

This method is invoked through the echarts API but I haven't found any reference yet where it would append to the request headers.

On Friday, August 28, 2020 at 4:28:13 PM UTC-5 Shaun Thompson wrote:
Upgraded to 2.254 and now my plugin isn't loaded on startup but is shown as installed on the manage plugins page. 

The source posted above still appears to be the same for 2.254 so I assume the problem still persists.

Once I figure out why my plugin isn't loading I'll test again.

On Friday, August 28, 2020 at 3:41:11 PM UTC-5 [hidden email] wrote:

Am 28.08.2020 um 22:33 schrieb Shaun Thompson <[hidden email]>:

At least for the JUnit plugin they are referencing an older version of Jenkins.


The compile time dependency is < 2.250, yes. But it will replaced with the version you actually installed in Jenkins. But can you see the chart? Can you upgrade to 2.254 and retry? 

Looking at org/kohsuke/stapler/bind.js shows the following:

            if(window.jQuery === window.$) { //Is jQuery the active framework?
                $.ajax({
                    type: "POST",
                    url: url+methodName,
                    data: stringify(a),
                    contentType: 'application/x-stapler-method-invocation;charset=UTF-8',
                    headers: {'Crumb':crumb},
                    dataType: "json",
                    success: function(data, textStatus, jqXHR) {
                        if (callback!=null) {
                            var t = {};
                            t.responseObject = function() {
                                return data;
                            };
                            callback(t);
                        }
                    }
                });
            } else { //Assume prototype should work
                new Ajax.Request(url+methodName, {
                    method: 'post',
                    requestHeaders: {'Content-type':'application/x-stapler-method-invocation;charset=UTF-8','Crumb':crumb},
                    postBody: stringify(a),
                    onSuccess: function(t) {
                        if (callback!=null) {
                            t.responseObject = function() {
                                return eval('('+this.responseText+')');
                            };
                            callback(t);
                        }
                    }
                });
            }


On Friday, August 28, 2020 at 3:20:58 PM UTC-5 ullrich...@gmail.com wrote:
I’m on 2.254 and there everything looks good on the JS side.  

Can you see the JUnit or warnings trend charts? They use @JavaScriptMethod as well. 

Am 28.08.2020 um 22:06 schrieb Shaun Thompson <[hidden email]>:

After looking at it a bit - it appears that the crumb header is being issued with the request as `Crumb`.

The CrumbFilter is looking for `Jenkins-Crumb` or `.crumb`.

As such it fails.  Appears to be a bug to me?

On Friday, August 28, 2020 at 2:53:39 PM UTC-5 Shaun Thompson wrote:
I'm developing a custom plugin that includes a class with a method annotated with 
@JavaScriptMethod.  

It was working until I updated to the latest version of Jenkins 2.250 which forces CSRF protection.

I can't find anything to indicate how to get/add the CSRF token when calling this method

@JavaScriptMethod
public void setUserId(final String value) {
        userId = value;
}

<st:bind var="instance" value="${it}"/>

instance.setUserId($('#userId')


-- 
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a279989d-ebdb-45df-ad72-7d50e2f61bd6n%40googlegroups.com.


-- 
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

-- 
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ece402df-f2c1-4400-b422-0215b93f5aa0n%40googlegroups.com.


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/2371542E-E2DE-4C6D-82DF-1BEE41AE10C1%40gmail.com.