Dear community,
after releasing our updated plugin, we have noticed that Anonymous access is broken in confluence 9.x. Unfortunately, I haven’t been able to get this to work. I guess we are missing some important step:
1.) We rely on servlets to retrieve data which is then rendered in the macro - the data is just stored as attachment.
2.) We don’t expose REST API endpoint, instead all calls go directly to the servlet, like this:
xhr.open(‘POST’, ‘/plugins/servlet/graphity-diagram-data-service’, true)
xhr.send(…)
I have annotated the servlet in question like this:
@com.atlassian.plugins.rest.api.security.annotation.AnonymousSiteAccess
public class DiagramDataServlet extends HttpServlet {
which, to my understanding, should enable anonymous access to the servlet. We do a permission check for the actual data in the servlet itself. The servlet has not opted in for XSRF protection because the documentation
suggests I would not need to do that (and anyway I think it would only make the access MORE restrictive, not less)
3.) I have setup anonymous access to the instance and also configured the space to allow anonymous access. To exclude potential problems, I have also enabled anonymous access to the Remote API (though I think this only refers to REST endpoints?)
4.) I have verified the the annotation is compiled and retained for the servlet.
5.) Yet I invariably receive this exception (I’ve also tried UnrestrictedAnnotation, to no avail)
17:26:50,655 WARN [http-nio-1990-exec-10 url: /confluence/plugins/servlet/graphity-diagram-data-service] [confluence.servlet.ServletModuleContainerServlet] service Access check is failed. Skipping Servlet com.yworks.plugins.confluence.DiagramDataServlet
-- url: /confluence/plugins/servlet/graphity-diagram-data-service | userName: anonymous | referer: http://baltar:1990/confluence/spaces/ds/pages/163841/Welcome+to+Confluence | traceId: c008f09e695eaf82
17:26:50,659 ERROR [http-nio-1990-exec-10 url: /confluence/plugins/servlet/graphity-diagram-data-service] [[Catalina].[localhost].[/confluence]] log Unhandled exception occurred whilst decorating page
-- url: /confluence/plugins/servlet/graphity-diagram-data-service | userName: anonymous | referer: http://baltar:1990/confluence/spaces/ds/pages/163841/Welcome+to+Confluence | traceId: c008f09e695eaf82
com.atlassian.sal.api.permission.AuthorisationException
It looks a lot as if the annotation is just completely ignored.
6.) The ultimate goal is to make this work for 7.x, 8.x AND 9.x, however rn I would be happy to make it work in 9.x, only (everything works nicely on older versions without any annotations)
What am I missing??? Do I need to call the servlet differently (it does work fine logged in users, though!). Has anyone successfully managed to make anonymous access work and would be willing to share some insight?
Thanks
Jasmine