How can I invert the Jwt authentication?

From atlassian-connect-spring-boot:

Endpoints specified in this way will automatically authenticate incoming requests using JSON Web Tokens. To disable JWT verification for an endpoint, you can annotate your RequestMapping method or your Controller class with @IgnoreJwt . You should only disable JWT verification for endpoints that will not be accessed by an Atlassian product.

Now, what if I have 200 non-atlassian endpoints and 3 for atlassian. I am looking for a way to invert this authentication to where I enable JWT only on the 3 endpoints.

Big Picture: I am wanting to integrate the plugin endpoints into a larger application and would rather not have to use @IgnoreJwt by default.

Does anyone know what the configuration class is and which properties I’d need to look into? Anything to help me get started would be appreciated!

While you’re here…what about removing the “/” mapping entirely and moving the “/atlassian-connect.json” mapping to another path?

@DerekWhite I’m afraid that atlassian-connect-spring-boot was not designed for such a use case, so I would not recommend that you use it.

That said, version 2.0.5 restored support for configuring the paths that require JWT authentication (unfortunately dropped in 2.0.0) using the properties atlassian.connect.require-auth-include-paths and .require-auth-exclude-paths.

1 Like

Thank you for the advice. I will just move any common code to a library and run this in a different context than the main app.

The first properties I touched were the addon.* ones for the descriptor JSON. They did not have any meta data for spring (I created my own additional-spring-configuration-metadata.json for them), so I just assumed atlassian.connect.* also did not. However, it does have metadata!! Auto-complete works great. I found these to be relevant:

        jwt-filter-order: 10
        redirect-root-to-descriptor: false
        require-auth-exclude-paths: /excludes
        require-auth-include-paths: /includes

That solves everything except moving the descriptor! You can move the filter around (so one of yours can take precedence), change it’s paths, and disable the root from serving up the descriptor.

I will still be using a separate project, as @epehrson suggested (who knows what else is lurking in there :slight_smile:) , but if anyone else runs across this, now you know!