HI Mark,

Thanks, this pointed me in the right direction.  Turns out my underlying 
problem was that while the PowerShell curl alias accepts the 
http://<username>:<password>@url format, it appears to ignore everything 
before the @.  

Once I figured that out it was a simple case or replacing the password with 
the API token from Jenkins, and you then do not need to persist the 
session, or bother with the crumb issuer at all.

On Monday, 2 September 2019 11:25:53 UTC+1, Mark Waite wrote:
>
> I used curl to request the crumb and the session ID and then passed that 
> crumb and session ID to a later curl call which performed the work I needed 
> to do.
>
> Refer to 
> https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L56
>  
> for the "cookie jar" that remembers the session ID.
>
> Refer to 
> https://github.com/MarkEWaite/jenkins-bugs/blob/6db4ea8ef277dbe496346d8ceaebdb12029d870c/reportScanLogResults#L89
>  
> for a use of that "cookie jar".
>
> I think the topic of API use (including cookie use and various 
> alternatives to call the API) deserves a future topic for a "How-To Guide" 
> to be added to https://jenkins.io/doc/developer/guides/ .
>
> On Mon, Sep 2, 2019 at 4:09 AM James Telfer <jamesw...@gmail.com 
> <javascript:>> wrote:
>
>> Hi,
>>
>> I've been bitten by the security fix in Jenkins LTS 2.176.3 to the CSRF 
>> protection, specifically the tying of a crumb to the session ID it was 
>> generated in.
>>
>> There is a note in the upgrade guide 
>> <https://jenkins.io/doc/upgrade-guide/2.176/#SECURITY-626> which 
>> suggests I can trigger builds using an API token without requiring a crumb, 
>> which is pretty much what I want to be able to do.  It appears that I 
>> should be able to do this by sending a POST of the form: 
>> http://<username>:<API 
>> Token>@<Jenkins job URL>/build
>>
>>  But I always get back a 403 No valid crumb was included in the request, 
>> which while 100% accurate was not what I expected.
>>
>> Any idea how I can do this?
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to jenkins...@googlegroups.com <javascript:>.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jenkinsci-users/97c3ff89-83ab-42f9-bb89-72922a940383%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/jenkinsci-users/97c3ff89-83ab-42f9-bb89-72922a940383%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> -- 
> Thanks!
> Mark Waite
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/805d0f0a-e5a3-4660-8e33-dfadb8b4c2c5%40googlegroups.com.

Reply via email to