我发现启用 CSRF 保护后,我可以发出带有 crumbs 标头的发布请求并使用username:PASSWORD
基本身份验证标头:
String basic = "<username>:<PASSWORD>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Jenkins-Crumb", "<CRUMB>");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();
或username:APITOKEN
用于基本身份验证标头,在这种情况下不需要 crumbs 标头:
String basic = "<username>:<APITOKEN>";
HttpURLConnection c = (HttpURLConnection) new URL("https://host.com/jenkins/quietDown").openConnection();
c.setInstanceFollowRedirects(false);
c.setRequestMethod("POST");
c.addRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString(basic.getBytes()));
c.getInputStream().close();
问题:
- 这是预期用途(用户名:APITOKEN 没有 crumbs 标题)吗?文档和现有的 SO 答案含糊不清。
使用 Jenkins 2.164.3 和 Java 8。