This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 224586

Summary: Cannot authenticate using API tokens when CSRF enabled
Product: connecteddeveloper Reporter: Jesse Glick <jglick>
Component: HudsonAssignee: Jaroslav Havlin <jhavlin>
Status: RESOLVED FIXED    
Severity: normal Keywords: NETFIX
Priority: P2    
Version: 7.2   
Hardware: PC   
OS: Linux   
Issue Type: DEFECT Exception Reporter:
Bug Depends on:    
Bug Blocks: 193008, 195473    
Attachments: Proposed patch

Description Jesse Glick 2013-01-07 18:38:17 UTC 
Crumb support is built into ServletConnectionAuthenticator, but this is bypassed when using API tokens. The symptom is that when logging in as (say) jglick to builds.apache.org and trying to start Ant_BuildFromPOMs from NetBeans, you are repeatedly prompted for a password or API token and the build is never started.

Explicitly logging in first does not help. The problem is that ServletConnectionAuthenticator is canceled out of, APITokenConnectionAuthenticator is called, and this yields a valid login (200) on a GET request; but then when POSTing delay=0sec to /build, Jenkins checks for a crumb (only required on POST requests!), sending a 403 “No valid crumb was included in the request”. NetBeans sees the 403 and prompts you to log in again.
Comment 1 Jesse Glick 2013-01-07 18:49:16 UTC 
Created attachment 129973 [details]
Proposed patch
Comment 2 Jaroslav Havlin 2013-01-08 09:35:27 UTC 
Integrated as http://hg.netbeans.org/core-main/rev/e09b72c6b1bf
Thanks, Jesse!
Comment 3 Quality Engineering 2013-01-09 02:26:45 UTC 
Integrated into 'main-golden', will be available in build *201301090001* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/e09b72c6b1bf
User: Jesse Glick <jglick@netbeans.org>
Log: #224586: permit API token authentication when using crumbs for CSRF protection.
Crumb handling is orthogonal to authentication so should be handled in ConnectionBuilder.