This behaviour seems to be related to how Jira’s servlets authenticate/filter any access to the Jira server, even anonymous.
The rest endpoints with anonymous access use the “any” method. The key point in the above link is:
“and there is not valid cookie”
When I reproduce this error on my server I noticed that the cookie named JSESSIONID was marked as expired. If you delete this, it starts working again. So Jira looks for the JSESSIONID cookie and if it finds an invalid cookie you get the 401 error, but if there is no cookie or the cookie is valid you do not get the 401 error.
So Jira is actively checking for cookies even if you’re using anonymous access. This is part of the Jira authentication library is part of Jira’s servlet filters Specifically this else condition, https://docs.atlassian.com/atlassian-seraph/2.6.1-m1/xref/com/atlassian/seraph/filter/SecurityFilter.html#150
We understand that this behavior is not correct and an anonymous user should always work by ignoring JSessionCookie.
Are there a workaround or any configuration setting to turn this off or make it ignore invalid cookies when the user is not provided?