Jira 9.0 has a release candidate!

Hey @denis @FilipNowak,
we have exactly the same problem with the required @SupportedMethods annotation.

We saw that it will not break the app itself, if you compile it against Jira 9.0 and install the app on Jira 8 or older.

But we always run our integration tests to the lowest supported version of our app, to make sure that nothing is broken there. In addition to that, we develop against the lowest supported version as well. The reason is, that we want to avoid the direct access to functions, that are available in newer versions. If we want to use these new functions, we have to access them via Java Reflections, to make our app backward compatible. If we develop against Jira 9.0 it’s much more unsafe and the probability is much higher, that somebody uses new functions that breaks the compatibility to lower Jira versions.

1 Like

This worked in our project:

  • create new maven project with only com.atlassian.jira.security.request.RequestMethod and com.atlassian.jira.security.request.SupportedMethods classes
  • add a dependency to this new module with the scope set to “provided” in a plugin project
  • use these classes in actions

When the plugin is installed in Jira 9 SupportedMethods annotation will be loaded from the Jira class loader.

1 Like

Is everyone going to publish 1 version of their app for Jira 9.x, and 1 version of their app for Jira 8.13?

We’ve tried, to avoid the ClassNotFoundError about the @SupportedMethods problem in Jira 8.13, we’ve tried to transform our XWork actions into REST GET methods, but Jira doesn’t respect the #requireResource() or #requireContext() tags in REST responses and doesn’t include the JS files (note that the entire decoration is missing, no top bar, etc.). Has anyone found a solution for this?

Is it well-known that PageBuilderService doesn’t work in REST resources?

We’re reluctant to move all our code back to Servlets, just because of this @SupportedMethods problem.

Hi @aragot,

use @marcin.kosmala solution, I checked it and it works perfectly.

  1. Create new maven project

  2. Add dependency to your plugin


Hi Adam

With this way, you still need to build 2 jars, right?

Because when using in Jira 8, if the scope is provided, the 2 classes won’t be found.


Hi @LaurentNonnenmacher

no, I’m building one jar for Jira 8 and Jira 9 :slight_smile:. IDE asked me where to get these dependencies and I pointed to my previously built Maven project (compiled and installed in maven before adding dependencies to the Jira plugin project).

Jira 8 and 9 source

Point to my jar


1 Like

Hi all

Is there a way to enable a “strict” javascript mode to see where are the failing places that do not respect the front-end contract ( with require() and refine()) ?



We are checking compatibility with Jira-9.0.0-m0009. We can no longer call methods on our components (defined in atlassian-plugin.xml) within the velocity files. These classes are available in the velocity context (I have verified this) but I can’t invoke any method on them. Methods are public and also defined on the corresponding interface. I can invoke methods on data classes.

/secure/AjaxIssueAction!default.jspa [org.apache.velocity] Cannot retrieve method dateTimeToString from object of class com.deniz.jira.reminders.service.ReminderServiceImp due to security restrictions.

Hi @FilipNowak ,

Regarding the @SupportedMethods annotation, would it be possible to tag it as @Inherited too. It would provide more flexibility in the way Actions are designed in a plugin (and help dealing with Jira8 vs Jira9 API particularities). Currently, you’re forced to annotate the action class declared in the atlassian-plugin.xml manifest, no way to annotate a generic action class (that could come from an external jar for example).

If the classes extends some “restricted” classes, they are blocked. Try to see in the packages a file called velocity.properties. It includes a list of what is allowed or not.
For me: I had a class extending a com.atlassian class, it was rejected due to this security

1 Like

Thanks @LaurentNonnenmacher,
The class doesn’t extend from any other class but implements a few interfaces “LifecycleAware, DisposableBean, JobRunner”. Jobrunner is in package “com.atlassian.scheduler” and is included in “introspector.restrict.packages” setting in velocity.properties file of Jira. This behavior should be new to Jira 9, the same class was accessible with .VM files for years.

Once more regarding the @SupportedMethods annotations. There seems to have been a couple of different approaches here and via other channels.
@TomaszPrus Did you ever get some input from the team on how to approach this from a build targeting both Jira 8 & 9?
@aragot @denis did you manage to get this working?


For everyone looking for an implementation of @SupportedMethods compatible from Jira 8.13 and Jira 9.0, we’ve detailed our implementation there:

We implemented the solution by FilipNowak – compiling our plugin for Jira 9.
The compiled plugin has been tested against Jira 8.0 and Jira 8.22 – all our tests passed.

We also plan to test the solution by marcin.kosmala because it seems to be safer from the Jira 8 compatibility point of view.

The problem is still reproduced in eap4: clicking on buttons Delete and Default in Resolutions results in “HTTP Status 405 – Method Not Allowed” error page opening.


Regarding XSRF protection, I have a doubt if it is possible to obtain the xsrfToken for a form in a gadget.

I have a html gadget…

<Content type=“html” view=“profile, canvas, default”

and a form in the view template…

view: {
template: function (args) {

str+=" <form action=‘ATLASSIAN_BASE_URL/secure/CalculateCost!previous.jspa’ method=‘POST’ class=‘aui’…
str+=" <input type=‘hidden’ id=‘cost-old’ name=‘cost-old’…
str+=" </form…";

I have tried what is described on the page Form token handling

str+="<form action='ATLASSIAN_BASE_URL/secure/CalculateCost!previous.jspa?atl_token=<webwork:property value="/xsrfToken"/>’ method=‘POST’ class=‘aui’…
str+=" <input type=‘hidden’ id=‘cost-old’ name=‘cost-old’…


str+="<form action=‘ATLASSIAN_BASE_URL/secure/CalculateCost!previous.jspa’ method=‘POST’ class=‘aui’…
str+= " <webwork:component name=‘atl_token’ value=’/xsrfToken’ template=‘hidden.jsp’/>"
str+=" <input type=‘hidden’ id=‘cost-old’ name=‘cost-old’…

but none work.

How can I get xsrfToken in a gadget?


I came across a bug with the JQL query blank not updating after using the browser’s back button in some circumstances.

See JQL Search Blank fails to clear on browser.back with some history in Jira 9 for detailed steps to reproduce.


I would like to know if there is documentation available on the use of the points “New checkpoints for resource phases” and “App header updates”.


Quick question, how do you actually go about installing Jira Service Management 5 into your EAP 9 installation?

Hi @dortiz !
We described the changes and the steps you need to take in the Preparing for Jira 9.0 document mentioned in the post.
Please let me know if you find the instructions unclear or they don’t work for you.
Kind regards,