Just noticing this thread. With respect to your original question about Git and Jenkin's CSRF setting, as you've surmised, Jenkins protects all POST requests when this feature is enabled. There's a snippet in the Subversion plugin wiki[1] about how to make Subversion's commit hook work with the CSRF protection, and I would expect the same pattern will work for Git.
With respect to authentication, CSRF is only tangentially related to authentication. If your Jenkins instance requires an authenticated login, the CSRF will factor that into the crumb. If your Jenkins allows anonymous access, the CSRF protection will use other information for the crumb. -- Dean [1] https://wiki.jenkins-ci.org/display/JENKINS/Subversion+Plugin From: spacegoose <spacego...@gmail.com> Reply-To: "jenkinsci-users@googlegroups.com" <jenkinsci-users@googlegroups.com> Date: Thursday, May 16, 2013 3:03 PM To: "jenkinsci-users@googlegroups.com" <jenkinsci-users@googlegroups.com> Subject: Re: GitHub Webhook to Jenkins "Cross Site Scripting" > > > On Wednesday, May 15, 2013 9:23:23 AM UTC-4, spacegoose wrote: >> I am trying to trigger Jenkins builds from commits to a private GitHub >> repository. It only works when the the cross site scripting protection in >> Jenkins is turned off. >> >> Is there some way I can keep the cross site scripting protection setting on >> and get the GitHub webhook to work? The error with it on is a 403 / no valid >> crumb. >> >> Can I use a crumb in the webhook URL? >> >> Thanks, >> Bill > > > We ended up installing the GitHub plugin on Jenkins and it works, seemingly > magically, w/o any authentication credentials specified, other than the > Jenkins project specifying the GitHub repo & branch, and the GitHub webhook > specifying the generic Jenkins /github-webhook/ URL on our Jenkins instance. > > I looked in the Jenkins (1.514) config settings and didn't see any GItHub > specific credentials. > > We do have a special GitHub user with pull access to this repo, and it is > setup with SSH keys to talk to our Jenkins (maybe this has something to do > with it working?). > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
