401 Unauthorized when using jwt token in my plugin

Hi Community!

I’ve spent a lot of time to fix a very strange issue and I hope somone else have faced up with this.
My plugin’s rest resource uses JWT token. (like https://e255266aa55f.ngrok.io/data?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJqaXJhLXRlbGVncmFtLWNsb3VkIiwic3ViIjoiNWI3MTI2M2NlNzJhZmQwNjRjOGE0NzUzIiwiY2xpZW50S2V5IjoiMzA4ZmYyYWUtZWFmYy0zYTc5LWIyN2ItNmNkZDY3MTc3NGJjIiwicXNoIjoiY29udGV4dC1xc2giLCJpc3MiOiJqaXJhLXRlbGVncmFtLWNsb3VkIiwiZXhwIjoxNjI0NzAxMDA4LCJpYXQiOjE2MjQ3MDAxMDh9.6FNJZi5TlCTfX_j5Cfopn__WmY3YCyxtD4mrktNtJcU )
Everything had been working fine until last week. I did not make any changes in the plugin descriptor/pom.xml or anything else.
It just has stopped working suddenly.

I’ve cleared database, installed plugin in other jira instances but it does not make any effect.

pom.xml

`

<?xml version="1.0" encoding="UTF-8"?> 4.0.0
<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.4.5</version>
</parent>

<groupId>pl.secret.pl</groupId>
<artifactId>jira-plugin</artifactId>
<version>1.0-SNAPSHOT</version>

<properties>
    <java.version>1.8</java.version>
    <atlassian-connect-spring-boot.version>2.2.1</atlassian-connect-spring-boot.version>
    <thymeleaf-extras-springsecurity4.version>3.0.2.RELEASE</thymeleaf-extras-springsecurity4.version>
</properties>

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>com.atlassian.connect</groupId>
        <artifactId>atlassian-connect-spring-boot-starter</artifactId>
        <version>${atlassian-connect-spring-boot.version}</version>
    </dependency>
    <dependency>
        <groupId>com.atlassian.connect</groupId>
        <artifactId>atlassian-connect-spring-boot-jpa-starter</artifactId>
        <version>${atlassian-connect-spring-boot.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <version>1.18.12</version>
        <scope>provided</scope>
    </dependency>
    <!-- https://mvnrepository.com/artifact/io.swagger.core.v3/swagger-annotations -->
    <dependency>
        <groupId>io.swagger.core.v3</groupId>
        <artifactId>swagger-annotations</artifactId>
        <version>2.1.5</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/org.threeten/threetenbp -->
    <dependency>
        <groupId>org.threeten</groupId>
        <artifactId>threetenbp</artifactId>
        <version>1.5.0</version>
    </dependency>
    <dependency>
        <groupId>com.github.joschi.jackson</groupId>
        <artifactId>jackson-datatype-threetenbp</artifactId>
        <version>2.6.4</version>
    </dependency>
    <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-lang3</artifactId>
        <version>3.11</version>
    </dependency>
</dependencies>

<build>
    <defaultGoal>spring-boot:run</defaultGoal>
    <plugins>
        <plugin>
            <groupId>org.codehaus.mojo</groupId>
            <artifactId>versions-maven-plugin</artifactId>
            <executions>
                <execution>
                    <id>display-spring-boot-dependency-updates</id>
                    <phase>validate</phase>
                    <goals>
                        <goal>display-parent-updates</goal>
                        <goal>display-property-updates</goal>
                    </goals>
                    <configuration>
                        <includeProperties>atlassian-connect-spring-boot.version</includeProperties>
                    </configuration>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

<profiles>
    <profile>
        <id>default</id>
        <activation>
            <property>
                <name>!spring.profiles.active</name>
            </property>
        </activation>
        <dependencies>
            <dependency>
                <groupId>org.hsqldb</groupId>
                <artifactId>hsqldb</artifactId>
                <scope>runtime</scope>
            </dependency>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-devtools</artifactId>
                <optional>true</optional>
            </dependency>
        </dependencies>
    </profile>
</profiles>
`
atlassian-connect.json

{ "key": "${addon.key}", "baseUrl": "${addon.base-url}", "name": "sandbox", "apiMigrations": { "signed-install": true }, "authentication": { "type": "jwt" }, "lifecycle": { "installed": "/installed", "uninstalled": "/uninstalled" }, "scopes": ["READ", "WRITE"],

The same issue with my springboot addon. Most of the requests just failing with 401 with no visible reason. Everything worked fine at least until 24.06.21

1 Like

May be related to the change made in Action required: Atlassian Connect vulnerability allows bypass of app qsh verification via context JWTs - #4 by remie

Try to add @contextJWT annotation to all internal APIs

1 Like

Thank you a lot! I’ve missed this :expressionless: