Authentication within JIRA Server Add On

I’m a rookie in JIRA Add on development. When I execute a REST API method (/rest/greenhopper/latest/rapidviews/list), I get a 403 error in return. After some digging it seems to be related with lack of authentication.

I’ve been looking through the SDK documentation and I found out about the 3 authentication methods: Basic, Cookie based and OAuth. What I would like to know is what is the correct way to handle the issue, being that the Add On will be running “inside” JIRA, after the user authenticates. Is there a way to inherit the current user context, instead of having the add on authenticating once again.

Hi @antonio.pena,

usually, if you serve your front-end via a servlet from inside Jira, your REST requests to your API should be authenticated via the cookie that the current user uses.

You could still 403 if your base URL is something other than the URL you use to access Jira, e.g. base URL is http://localhost:2990/jira and you access it via http://your-macbook-pro.local:2990/jira . Then the authentication cookie will be assigned to the wrong URL and your REST calls would throw 403s.
Could that be the case?


1 Like

Thanks for your reply @tobitheo. Meanwhile this project has come to a halt, but I will check for that mismatch.

Best regards

1 Like

You can run ‘local’ rest calls unauthenticated, so long as you ‘set’ the JiraAuthenticationContext to be the security context for the operation.

TrustedRequestFactory fRequestFactory; // constructor injected
JiraAuthenticationContext jac = ComponentAccessor.getJiraAuthenticationContext();
ApplicationUser currentUser = jac.getLoggedInUser();
String path="/rest/greenhopper/latest/rapidviews/list"
UserManager userManager= ComponentAccessor.getUserManager();
ApplicationUser runAsUser = userManager.getUserByName("admin");
String baseUrl=ComponentAccessor.getApplicationProperties().getString(APKeys.JIRA_BASEURL);
String fullUrl=baseUrl+path;
TrustedRequest req = fRequestFactory.createTrustedRequest(MethodType.GET, fullUrl);
String asStr=req.execute();

I haven’t tested your particular URL, but it should work.