This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Crumb support is built into ServletConnectionAuthenticator, but this is bypassed when using API tokens. The symptom is that when logging in as (say) jglick to builds.apache.org and trying to start Ant_BuildFromPOMs from NetBeans, you are repeatedly prompted for a password or API token and the build is never started. Explicitly logging in first does not help. The problem is that ServletConnectionAuthenticator is canceled out of, APITokenConnectionAuthenticator is called, and this yields a valid login (200) on a GET request; but then when POSTing delay=0sec to /build, Jenkins checks for a crumb (only required on POST requests!), sending a 403 “No valid crumb was included in the request”. NetBeans sees the 403 and prompts you to log in again.
Created attachment 129973 [details] Proposed patch
Integrated as http://hg.netbeans.org/core-main/rev/e09b72c6b1bf Thanks, Jesse!
Integrated into 'main-golden', will be available in build *201301090001* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main-golden/rev/e09b72c6b1bf User: Jesse Glick <jglick@netbeans.org> Log: #224586: permit API token authentication when using crumbs for CSRF protection. Crumb handling is orthogonal to authentication so should be handled in ConnectionBuilder.