Curl get job config.xml gives 403 with Jenkins 2.401.3.3, but worked with older versions


my shared library needs to parse the job config.xml to get the configured Jenkinsfile path of a multibranch pipeline.

with Jenkins 2.375.4.2 this works fine

def call() {
  withCredentials([usernamePassword(credentialsId: 'xxx', passwordVariable: 'pw', usernameVariable: 'user')]) {
    genericSh('curl -u ' + user + ':' + pw + " ${JOB_URL + 'config.xml'} -O")
  jobconfig = readFile "${env.WORKSPACE}/config.xml" // otherwise 'prolog not allowed in context'
  xml = new XmlParser().parseText(jobconfig)
  jenkinsfilepath = xml.children()['scriptPath'].text()
  getYamlRoot = new File(jenkinsfilepath).getParent()
  readYaml file: "${getYamlRoot ?: env.WORKSPACE}" + '/pipeline.yaml'

but with Jenkins 2.401.3.3 the curl command gives

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 403 Forbidden
    < Date: Tue, 29 Aug 2023 15:19:51 GMT
    < X-Content-Type-Options: nosniff
    < X-You-Are-Authenticated-As: xxx
    < X-You-Are-In-Group-Disabled: JENKINS-39402: use or use /whoAmI to diagnose
    < X-Required-Permission: hudson.model.Hudson.Read
    < X-Permission-Implied-By:
    < X-Permission-Implied-By: hudson.model.Hudson.Administer
    < Content-Type: text/html;charset=utf-8
    < Expires: Thu, 01 Jan 1970 00:00:00 GMT
    < Cache-Control: no-cache,no-store,must-revalidate
    < X-Hudson-Theme: default
    < Referrer-Policy: same-origin
    < Cross-Origin-Opener-Policy: same-origin
    < Set-Cookie: JSESSIONID.7b2b95ba=node01m0vlt3zqe4oz11xw57rl6gglh96.node0; Path=/; Secure; HttpOnly
    < X-Hudson: 1.395
    < X-Jenkins: 2.401.3.3
    < X-Jenkins-Session: b904a4f9
    < X-Frame-Options: ALLOW-FROM http://xxx:81
    < X-Instance-Identity: xxx
    < Content-Length: 23013
    < Server: Jetty(10.0.13)

    <head resURL="/static/b904a4f9" data-rooturl="" data-resurl="/static/b904a4f9" [...]

In browser the response is the same for JOB_URL/config.xml in both Jenkins versions.
That’s also what i get as response from curl with Jenkins 2.375.4.2

<flow-definition plugin="workflow-job@1344.cb-v917b_4f08a_b_5c">
    <org.jenkinsci.plugins.workflow.multibranch.JobPropertyTrackerAction plugin="workflow-multibranch@756.v891d88f2cd46">
    <org.jenkinsci.plugins.workflow.multibranch.BranchJobProperty plugin="workflow-multibranch@756.v891d88f2cd46">


What’s the reason for the new behaviour ? Guess it’s some security related new feature, checked the change logs but didn’t find something helpful.

Is there maybe a better / another way to get the Jenkinsfile path ? Searched a lot, but it seems there’s no other way than $JOB_URL/config.xml


I’m not aware of changes here. More likely that you have an issue with permissions or your password/credential.
You should be able to get the scriptpath with groovy code like this (not tested). Though this will work only when you’re not in a sandbox. But within a shared library it works I guess.

def getScriptPath() {
  job = build.getParent()
  definition = job.getDefinition()
  if (definition instanceof org.jenkinsci.plugins.workflow.cps.CpsScmFlowDefinition) {
    return definition.scriptPath
  return null
1 Like


used the same credentials before the update without any problems, but anyway your proposal is much better and works like a charm :slight_smile:

i used

job = currentBuild.rawBuild.getParent()
scriptPath = job.getDefinition().scriptPath