Please clarify: Jenkins REST API with CSRF needs crumbs for user:PASSWORD, but not user:API_TOKEN?

↘锁芯ラ 提交于 2019-12-10 22:39:02

问题


I found that with CSRF Protection enabled, i can either issue a post request with crumbs header and using username:PASSWORD for the basic auth header:

String basic = "<username>:<PASSWORD>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Jenkins-Crumb", "<CRUMB>");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();

or use username:APITOKEN for the basic auth header, in wich case the crumbs header is not necessary:

String basic = "<username>:<APITOKEN>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();

Question:

  • Is this intended usage (username:APITOKEN without crumbs header)? The documentation and existing SO answers are vague.

Using Jenkins 2.164.3 and Java 8.

来源:https://stackoverflow.com/questions/56138723/please-clarify-jenkins-rest-api-with-csrf-needs-crumbs-for-userpassword-but-n

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!