Anonymous access sometimes returns a 401 when a rest endpoint is called

Hi,

This behaviour seems to be related to how Jira’s servlets authenticate/filter any access to the Jira server, even anonymous.

They have these https://developer.atlassian.com/server/framework/atlassian-sdk/rest-and-os-authtype/

The rest endpoints with anonymous access use the “any” method. The key point in the above link is:

“and there is not valid cookie”

When I reproduce this error on my server I noticed that the cookie named JSESSIONID was marked as expired. If you delete this, it starts working again. So Jira looks for the JSESSIONID cookie and if it finds an invalid cookie you get the 401 error, but if there is no cookie or the cookie is valid you do not get the 401 error.

So Jira is actively checking for cookies even if you’re using anonymous access. This is part of the Jira authentication library is part of Jira’s servlet filters Specifically this else condition, https://docs.atlassian.com/atlassian-seraph/2.6.1-m1/xref/com/atlassian/seraph/filter/SecurityFilter.html#150

We understand that this behavior is not correct and an anonymous user should always work by ignoring JSessionCookie.

Are there a workaround or any configuration setting to turn this off or make it ignore invalid cookies when the user is not provided?

Best Regards,
Alex

1 Like

Hey,

As far as I am aware, this is intended behaviour from Atlassian. The problem is that if you have an endpoint that allows anonymous access but returns different data if you are a logged in user there would be a not obvious inconsistency.

To prevent such inconsistency in results, Seraph blocks REST requests that have expired JSESSIONID cookies, even for anonymous endpoints.

This behaviour is documented here: https://developer.atlassian.com/server/framework/atlassian-sdk/rest-and-os-authtype/

Cheers,

Reece

Hi Reece,

Thanks for the reply. The problem in this case is that the access is always anonymous without logging in and it makes no sense that the first requests work and at a certain time stop doing.

Best Regards,
Alex

1 Like

Thanks, we’re seeing crazy failures in our internal Jira Service Desk and we thought it may have had to do with expired sessions. It would appear that this is handled all the way down in auth land. Thanks.