Rundeck Webhook notification doesn't work for Jenkins with CSRF protected enabled #2262

puspa opened this Issue Jan 5, 2017 · 0 comments


None yet

1 participant

puspa commented Jan 5, 2017

Bug report

I am trying to trigger Jenkins job from rundeck using webhook notification. My Jenkins instance has "Prevent Cross Site Request Forgery exploits" setting enabled. When rundeck webhook tries to notifies Jenkins due to lack of csrf token, Jenkins rejects the notification with
"No valid crumb was included in request for /plugin/rundeck/webhook/. Returning 403."

My Rundeck detail

  • Rundeck version: Rundeck 2.6.9-1 cafe bonbon indigo tower 2016-08-03
  • install type: rpm
  • OS Name/version: CentOs 2.6.32-642.3.1.el6.x86_64

Expected Behavior
Webhook will first acquire csrf token, when needed, before posting notification to Jenkins

Actual Behavior
Webhook posts notification to Jenkins without csrf token

How to reproduce Behavior

  • Have jenkins instance with rundeck configured running
  • Enable "Prevent Cross Site Request Forgery exploits" in Jenkins using "Configure Global Security" screen
  • Configure rundeck job to notify to Jenkins with webhook
    -- set webhook url to {jenkins_url}/plugin/rundeck/webhook/
  • Run the rundeck job and check the Jenkins log for notification from rundeck job
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment