Jenkins CSRF: how to use the Build Token Root Plugin to call the crumbIssuer ? (anonymous access)

Asked Jul 12 '18 at 20:49

Active Jul 12 '18 at 20:49

Viewed 334 times

Jenkins version: 2.121.1 .

Global security: LDAP + Matrix-based security . No access rights for Anonymous.

Since anonymous access is disabled, my script cannot get access to 'http://jenkins_host/crumbIssuer/api/json'. in order to get the CSRF token.

In https://issues.jenkins-ci.org/browse/JENKINS-45811, it is mentioned that the Build Token Root Plugin allows to workaround the access restriction for anonymous.

What I'm not sure is how to properly use this plugin in order to execute the crumbIssuer API? Because the plugin URL has a form such as 'buildByToken/build?job=RevolutionTest&token=TacoTuesday' , and it isn't clear to me how to execute '/crumbIssuer/api/json' with buildByToken.. (would I need to create a build job?)

Thanks!

asked Jul 12 '18 at 20:49

freeAR

Adding 'Overall:Read' lets anonymous execute the API (http://jenkins_host/crumbIssuer/api/json) without having to log in. This is just a temporary workaround I'm using, not the solution I'm looking for. I don't want to give any access to Anonymous. – freeAR Jul 12 '18 at 21:00

Jenkins CSRF: how to use the Build Token Root Plugin to call the crumbIssuer ? (anonymous access)

0 Answers0