Cross-Site Request Forgery (CSRF) Protection

Usually, Jenkins gets installed with Cross-Site Request Forgery Protection being turned on. This prevents people to trigger jobs from outside using the REST API unless they have a so-called "crumb", which acts as a kind of authentication token. The result if CSRF Protection is turned on and you try to use the REST API without specifying the required crumb header will look something like the following:

JenkinsConfiguration_8.png

Setting CSRF Protection

It is not recommended to turn the protection off, instead you will need to modify your API call to include a "crumb" header. To determine the header, first make sure that CSRF Protection is turned on, by going to Manage Jenkins -> Configure Global Security and scrolling down to the CSRF Protection section:

JenkinsConfiguration_9.png

Make sure, the checkbox and the radio button "Default Crumb Issuer" is selected. Next, you need to determine the correct crumb to use in your further REST calls. This page explains the details in general.

Getting the Jenkins crumb

Use a REST API tool, for example ARC (The Google Advanced Rest Client Plugin to Chrome) to issue the required GET call.

http://<jenkins URL>/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)

JenkinsConfiguration_10.png

Important

Make sure to include an authorization header, and using the pencil button to provide your credentials for your Jenkins server.


JenkinsConfiguration_11.png

Failure to include the authorization header and credentials, will result in a failure to retrieve the crumb:

JenkinsConfiguration_12.png

Using the Jenkins crumb in a REST call

To finally use the crumb in a REST call, make sure to include the Jenkins-crumb header, as well as the authorization header from above. From ARC this looks like the following:

JenkinsConfiguration_13.png


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*