[JENKINS-64933] Configure Systems - Apply and Save not working with tomcat

[timja]

 Under Manage Jenkins --> Configure Systems section, if i click apply or save button it shows below error on browser(Firefox, Chrome). I cannot Apply (Or) Save any configuration due to below errors.

HTTP Status 403 – Forbidden

Type Status Report

Message No valid crumb was included in the request

Description The server understood the request but refuses to authorize it. Apache Tomcat/9.0.30

 Do i need to add any additional configuration in my tomcat side? Please let me know.

 

---

Originally reported by smohan08, imported from: Configure Systems - Apply and Save not working with tomcat

• status: Open
• priority: Blocker
• resolution: Unresolved
• imported: 2022/01/10

[timja]

smohan08:

Same problem even in Jenkins 2.263.4, apache-tomcat-9.0.43 and openjdk version "1.8.0_282 as well.

[timja]

smohan08:

Solution tried :-

1) Under Configure Global security --> CSRF Protection -->Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even after this also didn't work.
3) Installed the Strict Crumb Issuer plugin. Enabled this plugin and uncheck Check the session ID from its configuration (Under Jenkins Configure Global Security). 
4) Restated the Jenkins.

01-Mar-2021 08:12:10.604 WARNING [Handling POST /jenkins/configSubmit from 45.46.58.59 : http-nio-8080-exec-2] hudson.security.csrf.CrumbFilter.doFilter No valid crumb was included in request for /jenkins/configSubmit by sumit.mital. Returning 403.

Still same problem persists.

[timja]

smohan08:

Jenkins > Manage Jenkins > Configure Global Security > CSRF Protection - Default Crumb Issuer tried by ticked and Un-ticked the Enable Proxy Compatibility.  But no success. still getting same error.

[timja]

smohan08:

Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save results same error.

[timja]

smohan08:

Even tried by addeding below in /apache-tomcat-9.0.43/conf/tomcat-users.xml file, however still same issue.

 

'1.0' encoding='utf-8'?>

    "manager-gui"/>
    "manager-script"/>
    "manager-jmx"/>
    "manager-status"/>
    "admin-gui"/>
    "admin-script"/>
    "user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>

 

 

[timja]

smohan08:

Any help would be much appreciated

[timja]

markewaite:

My best suggestion is to not try to run Jenkins under tomcat. Run it as a separate application so that you don't need to wrestle with Tomcat configuration.

If you need a reverse proxy between the user and Jenkins, consider nginx, Apache, HAProxy, or Squid as described in reverse proxy configuration.

[timja]

smohan08:

We have been running our jenkins under tomcat for last 10 years until we upgrade our jenkins from 2.235.5 (LTS) to 2.263.1-LTS we had no issue.

Sure we will consider to move out of tomcat.

Nginx reverse proxy side seems no issues, because i have tested without nginx reverse proxy even in that too facing same problem.

it looks CSRF is causing issue with tomcat. still digging. hopefully will sorted out.

 

[timja]

smohan08:

Tested with Jenkins - 2.235.5-LTS and with same version of apache-tomcat-9.0.43 here there is no issue.