Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 355927

Summary: running of build fails with Unexpected error: Forbidden when Cross Site Request Forgery prevention is enabled
Product: z_Archived Reporter: Terence Miller <cforce>
Component: MylynAssignee: Steffen Pingel <steffen.pingel>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: cforce, klemens.muthmann, philipp.kapfer, taciano.tres
Version: unspecifiedKeywords: helpwanted
Target Milestone: 0.9   
Hardware: PC   
OS: Windows XP   
Whiteboard:
Bug Depends on: 356788, 367573    
Bug Blocks:    

Description Terence Miller CLA 2011-08-26 05:29:16 EDT 
Build Identifier: I20110613-1736

org.eclipse.core.runtime.CoreException: Unexpected error: Forbidden
	at org.eclipse.mylyn.internal.hudson.core.HudsonCorePlugin.toCoreException(HudsonCorePlugin.java:61)
	at org.eclipse.mylyn.internal.hudson.core.HudsonServerBehaviour.runBuild(HudsonServerBehaviour.java:738)
	at org.eclipse.mylyn.builds.internal.core.operations.RunBuildOperation$1.doExecute(RunBuildOperation.java:55)
	at org.eclipse.mylyn.builds.internal.core.operations.BuildJob.run(BuildJob.java:79)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: org.eclipse.mylyn.internal.hudson.core.client.HudsonException: Forbidden
	at org.eclipse.mylyn.internal.hudson.core.client.HudsonOperation.run(HudsonOperation.java:34)
	at org.eclipse.mylyn.internal.hudson.core.client.RestfulHudsonClient.runBuild(RestfulHudsonClient.java:397)
	at org.eclipse.mylyn.internal.hudson.core.HudsonServerBehaviour.runBuild(HudsonServerBehaviour.java:736)
	... 3 more
Caused by: java.io.IOException: Forbidden
	at org.eclipse.mylyn.commons.http.CommonHttpClient.needsReauthentication(CommonHttpClient.java:105)
	at org.eclipse.mylyn.commons.http.HttpOperation.needsReauthentication(HttpOperation.java:102)
	at org.eclipse.mylyn.commons.http.HttpOperation.execute(HttpOperation.java:76)
	at org.eclipse.mylyn.internal.hudson.core.client.RestfulHudsonClient$7.execute(RestfulHudsonClient.java:390)
	at org.eclipse.mylyn.internal.hudson.core.client.HudsonOperation.run(HudsonOperation.java:32)
	... 5 more
Caused by: java.lang.UnsupportedOperationException
	at org.eclipse.mylyn.internal.commons.repositories.LocationService.requestCredentials(LocationService.java:93)
	at org.eclipse.mylyn.builds.internal.core.util.RepositoryWebLocation.requestCredentials(RepositoryWebLocation.java:55)
	at org.eclipse.mylyn.commons.http.CommonHttpClient.needsReauthentication(CommonHttpClient.java:99)
	... 9 more



eclipse.buildId=I20110613-1736
java.version=1.7.0
java.vendor=Oracle Corporation
BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=de_DE
Framework arguments:  -product org.eclipse.epp.package.jee.product
Command-line arguments:  -data C:\DevMine\workspace\Java -os win32 -ws win32 -arch x86 -product org.eclipse.epp.package.jee.product

Jenkins ver. 1.424 on Tomcat 7 on Windows Server 2008

Running build with saem user/pwd from Jenkins web-gui works without problems.

Reproducible: Always

Steps to Reproduce:
1.Install Jenkins as build sever in Builds view
2. Choose a build job in build view job list below jenkins build server instance and click run
3.Running of build fails
Comment 1 Steffen Pingel CLA 2011-08-26 08:27:29 EDT 
Can you check if an entry for the Jenkins username and password was created in the preferences under General > Secure Storage > Contents: org.eclipse.mylyn.commons.repository?
Comment 2 Terence Miller CLA 2011-08-26 09:01:50 EDT 
Yes, there are two entries:

org.eclipse.mylyn.tasklist.repositories.password
org.eclipse.mylyn.tasklist.repositories.user

I deleted secure storage, then saved user/pwd after "Validate" in Server properties in Build View via Secure Storage agaian - refreshed job List and selected gob to run.

Same Error!
Comment 3 Steffen Pingel CLA 2011-08-27 16:52:20 EDT 
Thanks for the information. The connector currently only support authenticating through HTTP. I suspect that authentication is failing since your server expects a different type of login.

Is your server publicly accessible? If not, can you check if it uses the standard form-based login mechanism (e.g. http://mylyn.org/jenkins-latest/login?from=%2Fjenkins-latest%2F)?
Comment 4 Terence Miller CLA 2011-08-27 19:22:45 EDT 
(In reply to comment #3)
> Thanks for the information. The connector currently only support authenticating
> through HTTP. I suspect that authentication is failing since your server
> expects a different type of login.
We use the build in ldap support to authtenticate , but standard http form based

> Is your server publicly accessible? If not, can you check if it uses the
> standard form-based login mechanism (e.g.
> http://mylyn.org/jenkins-latest/login?from=%2Fjenkins-latest%2F)?

Our login form looks similar in jekins lookup is done via ldap
Comment 5 Terence Miller CLA 2011-08-30 10:23:22 EDT 
I managed to locate the origin of that bug.

When i disable the checkbox
"Prevent from Cross Site Request Forgery" attacks in Jenkins global settings the bug disappears. 

Mylyn can't handle the crumb security feature to prevent csrf attacks . That is a major secuity flaw in my opinion.
Can you fix thta bug please!

Tx for support.
Comment 6 Steffen Pingel CLA 2011-08-30 17:19:53 EDT 
*** Bug 341414 has been marked as a duplicate of this bug. ***
Comment 7 Steffen Pingel CLA 2011-08-30 17:34:58 EDT 
Thanks for investigating that. I don't agree that this a security flaw since it doesn't work. Obviously support for this security feature should be implemented to enable running of builds when the "Prevent from Cross Site Request Forgery" setting is active. I have updated the summary accordingly.

Request wise it looks like there is a script tag that initializes JavaScript magic:

<script>crumb.init(".crumb", "540de756e8c00c046a3a739a85cfe701");</script>

This causes an additional header to be included in the request:

.crumb: 540de756e8c00c046a3a739a85cfe701
Comment 8 Steffen Pingel CLA 2011-12-27 08:08:02 EST 
I have committed a first pass at this. The fix is in master and will be available in the next weekly build (first week of 2012).
Comment 9 Steffen Pingel CLA 2012-01-14 08:58:45 EST 
A new weekly build now is available from http://eclipse.org/mylyn/downloads/#weekly . Please retry with the latest and reopen this bug if the problem persists.
Comment 10 Philipp Kapfer CLA 2018-07-06 03:20:30 EDT 
Starting a build job from inside Eclipse is failing again in newer versions of Jenkins (I'm currently using 2.121.1).

The crumb name has changed from ".crumb" to "Jenkins-Crumb":
<script>crumb.init("Jenkins-Crumb", "c4daeb35223b76650d04d5dda1d96cab");</script>