我想使用Jenkins远程API,并且正在寻找安全的解决方案。我碰到了Prevent Cross Site Request Forgery exploits,我想使用它,但是我读到某个地方,你必须提出一个面包屑请求。
Prevent Cross Site Request Forgery exploits
如何获得面包屑请求以使API正常工作?
我找到了https://github.com/entagen/jenkins-build-per-branch/pull/20,但仍然不知道如何解决。
https://github.com/entagen/jenkins-build-per-branch/pull/20
我的詹金斯版本是1.50.x。
使用POST请求时,经过身份验证的远程API请求以403响应
我也没有在文档中找到这个。此代码已针对较旧的Jenkins(1.466)进行了测试,但仍可以使用。
要发出面包屑,请使用 crumbIssuer
crumbIssuer
// left out: you need to authenticate with user & password -> sample below HttpGet httpGet = new HttpGet(jenkinsUrl + "crumbIssuer/api/json"); String crumbResponse = toString(httpclient, httpGet); CrumbJson crumbJson = new Gson().fromJson(crumbResponse, CrumbJson.class);
这会给你这样的回应
{"crumb":"fb171d526b9cc9e25afe80b356e12cb7","crumbRequestField":".crumb"}
其中包含您需要的两条信息
如果您现在想从詹金斯(Jenkins)那里获取东西,请将面包屑添加为标题。在下面的示例中,我获取了最新的构建结果。
HttpPost httpost = new HttpPost(jenkinsUrl + "rssLatest"); httpost.addHeader(crumbJson.crumbRequestField, crumbJson.crumb);
这里是整体示例代码。我正在使用gson 2.2.4解析响应,其余部分则使用Apache的httpclient 4.2.3。
import org.apache.http.auth.*; import org.apache.http.client.*; import org.apache.http.client.methods.*; import org.apache.http.impl.client.*; import com.google.gson.Gson; public class JenkinsMonitor { public static void main(String[] args) throws Exception { String protocol = "http"; String host = "your-jenkins-host.com"; int port = 8080; String usernName = "username"; String password = "passwort"; DefaultHttpClient httpclient = new DefaultHttpClient(); httpclient.getCredentialsProvider().setCredentials( new AuthScope(host, port), new UsernamePasswordCredentials(usernName, password)); String jenkinsUrl = protocol + "://" + host + ":" + port + "/jenkins/"; try { // get the crumb from Jenkins // do this only once per HTTP session // keep the crumb for every coming request System.out.println("... issue crumb"); HttpGet httpGet = new HttpGet(jenkinsUrl + "crumbIssuer/api/json"); String crumbResponse= toString(httpclient, httpGet); CrumbJson crumbJson = new Gson() .fromJson(crumbResponse, CrumbJson.class); // add the issued crumb to each request header // the header field name is also contained in the json response System.out.println("... issue rss of latest builds"); HttpPost httpost = new HttpPost(jenkinsUrl + "rssLatest"); httpost.addHeader(crumbJson.crumbRequestField, crumbJson.crumb); toString(httpclient, httpost); } finally { httpclient.getConnectionManager().shutdown(); } } // helper construct to deserialize crumb json into public static class CrumbJson { public String crumb; public String crumbRequestField; } private static String toString(DefaultHttpClient client, HttpRequestBase request) throws Exception { ResponseHandler<String> responseHandler = new BasicResponseHandler(); String responseBody = client.execute(request, responseHandler); System.out.println(responseBody + "\n"); return responseBody; } }
