CORS error for plugin/app REST API access

parag · March 14, 2023, 10:24am

Our Jira DC app exposes REST APIs, and one of our customers wants to use these APIs on their share point website. When calling these APIs from their internal website, its throwing CORS error. We have tried a few things -

Added the origin in the allowed list (whitelisting) in Jira DC configuration - after this Jira REST APIs works fine, but app REST APIs still throws CORS error.
Added a filter in our app to send the required CORS response headers in case preflight request. But in this filter we are getting request method name as “GET” instead of “OPTIONS” even for options requests.
Also tried to assume if the “Origin” header is present then it’s preflight request but in that case, we are getting 401 unauthorized error in the response for preflight request and CORS error for actual get request.
Another issue is in preflight request ContainerRequestFilter.filter() method is not getting called where we can stop further processing of request if its preflight/OPTIONS type.

Can someone please help us here with a solution for this issue?

Attached here with the filter class we tried adding to our app.

CorsFilter.txt (3.6 KB)

steve.behnke · March 16, 2023, 4:10am

Please read up on @CorsAllowed which I’ve only read about myself just now:
https://docs.atlassian.com/atlassian-rest-common/2.7.8/atlassian-rest-common/apidocs/index.html?com/atlassian/plugins/rest/common/security/CorsAllowed.html
Some additional context on this jira comment [JRASERVER-59101] Jira doesn't support preflighted requests for CORS - Create and track feature requests for Atlassian products.

parag · March 20, 2023, 7:36am

Hi @steve.behnke thank you for your response, we will check and try this out.

NikolayShmakov · December 16, 2024, 6:18pm

Just add the annotation @CorsAllowed to the required resources/paths/endpoints.
However, in addition you need your API to be marked as public. Otherwise the request will fail.

Additionally, you need to annotate appropriately at the endpoint level.

Annotation	CORS result
@AdminOnly	ERROR
@AnonymousSiteAccess	OK
@LicensedOnly	ERROR
@SystemAdminOnly	ERROR
@UnlicensedSiteAccess	ERROR
@UnrestrictedAccess	OK

So, choose between @AnonymousSiteAccess or @UnrestrictedAccess.

    @GET
    @Path("/unrestricted-access")
    @UnrestrictedAccess
    @CorsAllowed
    public Response testUnrestrictedAccess() {
        return Response.ok().build();
    }

    @GET
    @Path("/anonymous-site-access")
    @AnonymousSiteAccess
    @CorsAllowed
    public Response testAnonymousSiteAccess() {
        return Response.ok().build();
    }

NikolayShmakov · December 17, 2024, 10:05am

However, both of these annotations @AnonymousSiteAccess or @UnrestrictedAccess disable authentication\authorization checking. I could not find how to enable both @CorsAllowed and authentication/authorization checking.