On Mon, Nov 4, 2013 at 3:36 AM, Zoltan Krakko <[email protected]> wrote: > Currently I have to use -Dhudson.model.Api.INSECURE=true to > make my app work, but I would like to modify it to work without this hack.
Use 1.537 or later and write a plugin implementing the API from JENKINS-16936 [1] to authorize only appropriate requests. Probably the most useful such plugin for the community as a whole is one that would allow requests coming from specific hosts or domains to go through. Or it might suffice to authorize requests with no Referer at all (if you can be sure that all vulnerable browser-based requests would have a Referer); or to authorize requests using an API token to authenticate (check req.getAttribute(ApiTokenProperty.class.getName()) instanceof User). [1] https://issues.jenkins-ci.org/browse/JENKINS-16936 -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
