Merge branch 'security-stable-2.7' into security-stable-2.19

b46ccfc3 · Jesse Glick · 48b68bee · 3c397739 · b46ccfc3 · b46ccfc3
4 changed file
--- a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
+++ b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
@@ -279,7 +279,7 @@ public class HudsonPrivateSecurityRealm extends AbstractPasswordBasedSecurityRea
    public User createAccountByAdmin(StaplerRequest req, StaplerResponse rsp, String addUserView, String successView) throws IOException, ServletException {
        checkPermission(Jenkins.ADMINISTER);
        User u = createAccount(req, rsp, false, addUserView);
-        if(u != null) {
+        if (u != null && successView != null) {
            rsp.sendRedirect(successView);
        }
        return u;

--- a/core/src/main/java/jenkins/install/SetupWizard.java
+++ b/core/src/main/java/jenkins/install/SetupWizard.java
@@ -42,6 +42,7 @@ import hudson.model.User;
 import hudson.security.FullControlOnceLoggedInAuthorizationStrategy;
 import hudson.security.HudsonPrivateSecurityRealm;
 import hudson.security.SecurityRealm;
+import hudson.security.csrf.CrumbIssuer;
 import hudson.security.csrf.DefaultCrumbIssuer;
 import hudson.util.HttpResponses;
 import hudson.util.PluginServletFilter;
@@ -216,7 +217,7 @@ public class SetupWizard extends PageDecorator {
     * Called during the initial setup to create an admin user
     */
    @RequirePOST
-    public void doCreateAdminUser(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
+    public HttpResponse doCreateAdminUser(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
        Jenkins j = Jenkins.getInstance();
        j.checkPermission(Jenkins.ADMINISTER);
        
@@ -229,7 +230,7 @@ public class SetupWizard extends PageDecorator {
                admin.delete(); // assume the new user may well be 'admin'
            }
            
-            User u = securityRealm.createAccountByAdmin(req, rsp, "/jenkins/install/SetupWizard/setupWizardFirstUser.jelly", req.getContextPath() + "/");
+            User u = securityRealm.createAccountByAdmin(req, rsp, "/jenkins/install/SetupWizard/setupWizardFirstUser.jelly", null);
            if (u != null) {
                if(admin != null) {
                    admin = null;
@@ -248,6 +249,11 @@ public class SetupWizard extends PageDecorator {
                Authentication a = new UsernamePasswordAuthenticationToken(u.getId(),req.getParameter("password1"));
                a = securityRealm.getSecurityComponents().manager.authenticate(a);
                SecurityContextHolder.getContext().setAuthentication(a);
+                CrumbIssuer crumbIssuer = Jenkins.getInstance().getCrumbIssuer();
+                JSONObject data = new JSONObject().accumulate("crumbRequestField", crumbIssuer.getCrumbRequestField()).accumulate("crumb", crumbIssuer.getCrumb(req));
+                return HttpResponses.okJSON(data);
+            } else {
+                return HttpResponses.okJSON();
            }
        } finally {
            if(admin != null) {
@@ -454,6 +460,7 @@ public class SetupWizard extends PageDecorator {
    /**
     * Remove the setupWizard filter, ensure all updates are written to disk, etc
     */
+    @RequirePOST
    public HttpResponse doCompleteInstall() throws IOException, ServletException {
        completeSetup();
        return HttpResponses.okJSON();

--- a/war/src/main/js/api/pluginManager.js
+++ b/war/src/main/js/api/pluginManager.js
@@ -177,7 +177,7 @@ exports.incompleteInstallStatus = function(handler, correlationId) {
 * Call this to complete the installation without installing anything
 */
 exports.completeInstall = function(handler) {
-	jenkins.get('/setupWizard/completeInstall', function() {
+	jenkins.post('/setupWizard/completeInstall', {}, function() {
 		handler.call({ isError: false });
 	}, {
 		timeout: pluginManagerErrorTimeoutMillis,
@@ -219,7 +219,7 @@ exports.installPluginsDone = function(handler) {
 * Restart Jenkins
 */
 exports.restartJenkins = function(handler) {
-	jenkins.get('/updateCenter/safeRestart', function() {
+	jenkins.post('/updateCenter/safeRestart', {}, function() {
 		handler.call({ isError: false });
 	}, {
 		timeout: pluginManagerErrorTimeoutMillis,

--- a/war/src/main/js/api/securityConfig.js
+++ b/war/src/main/js/api/securityConfig.js
@@ -11,8 +11,13 @@ exports.saveFirstUser = function($form, success, error) {
 	jenkins.staplerPost(
 			'/setupWizard/createAdminUser',
 		$form,
-		success, {
-			dataType: 'html',
+		function(response) {
+        		var crumbRequestField = response.data.crumbRequestField;
+			if (crumbRequestField) {
+				require('window-handle').getWindow().crumb.init(crumbRequestField, response.data.crumb);
+			}
+			success(response);
+		}, {
 			error: error
 		});
 };