Hi, This seems to be a deliberate security update.
This Jenkins issue tracker item ( https://issues.jenkins-ci.org/browse/JENKINS-17005 ) says the flag was introduced as a temporary feature to let people keep using jsonp, until a new "security extension point" is created. >From looking at the Jenkins source code ( https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/model/Api.java, lines 158 and 191 ), it seems the only affect of setting the hudson.model.Api.INSECURE flag to true is allow jsonp and "primitve XPath results sets". Alexis On Tuesday, March 12, 2013 10:56:19 AM UTC, John Vacz wrote: > > Hi, > we have some html+js hosted in JENKINS/userContent/, and using the rest > api (mainly jsonp, - we are planning to host those pages/script on a > dedicated server later) extensively to cumulate/reorganise the information > (both from Jenkins and other systems, like Jira) for different user groups > . They work on browser session/cookie basis, as long as the user is logged > in to Jenkins and Jira, then the scripts are working, no extra > authentification is necessary. So far this solution works perfectly and > helps alot. > > However since 1.502, Jenkins responses 403 errors to the jsonp requests, > so the scripts basically do not work anymore. > > <html><head><title>Error 403</title></head><body bgcolor="#ffffff"> > <h1>Status Code: 403</h1> > Exception: jsonp forbidden; can use -Dhudson.model.Api.INSECURE=true if you > run without security<br>Stacktrace: > <pre>(none)</pre><br><hr size="1" width="90%"> > <i>Generated by Winstone Servlet Engine v0.9.10 at Tue Mar 12 11:12:31 CET > 2013</i></body></html> > > The jvm parameter suggested in the error message does eliminates the > error, and the scripts work again, but my concern is: does this paramter > makes Jenkins access more open than necessary? Since we ARE using Jenkins > built-in user database plus Role-Based Strategy, no anonymouse access > (https only) . > > Is this a security update of some unexpected side effect? > > Any suggestion is greatly appreciated. > - jv > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
