Workflow Trigger creation fails when Bitbucket Server is on SSL with security constraint configured to redirect HTTP requests to HTTPS

Summary

Workflow triggers don't work if Bitbucket Server is on SSL, and has a Security Constraint configured to redirect requests from HTTP to HTTPS.
Removing this security constraint from Bitbucket Server fixes the issue.

Environment

• JIRA 6.4.11
• Bitbucket Server 4.0.1, and Stash 3.11.2
• Self-signed certificates (separate certs) for both JIRA and Bitbucket Server to run over HTTPS, hostname localhost

Steps to Reproduce

1. Set up JIRA and Bitbucket Server on SSL as per BitBucket server ssl docs and JIRA SSL docs, both with their own self-signed certificates.
2. Set up security constraint for JIRA: ($JIRA_INSTALL/atlassian-jira/WEB-INF/web.xml)

      <security-constraint>
     <web-resource-collection>
       <web-resource-name>all-except-attachments</web-resource-name>
       <url-pattern>*.jsp</url-pattern>
       <url-pattern>*.jspa</url-pattern>
       <url-pattern>/browse/*</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>
   
   

   For Bitbucket Server: $BITBUCKET_SERVER_INSTALL/atlassian-bitbucket/WEB-INF/web.xml)

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>HTTPSOrHTTP</web-resource-name>
           <url-pattern>/status*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
           <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
   </security-constraint>
   <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPSOnly</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
   </security-constraint>
   
   

1. Add server's self-signed certificates to both JIRA and Bitbucket Server's respective keystores.
2. Applink both JIRA and Bitbucket Server.
3. Go back to JIRA, and try adding a workflow trigger.

Expected Results

1. Workflow triggers are added successfully without problems.

Actual Results

1. The workflow trigger fails to add with error in UI:
2. In the Chrome dev tools, we can see the capabilities check for the workflow trigger fails:

   appLinkDiagnosticResults: [{name: "Stash", type: "Stash",…}],…}
   appLinkDiagnosticResults: [{name: "Stash", type: "Stash",…}]
   0: {name: "Stash", type: "Stash",…}
   accessible: false
   icon: "https://localhost:8444/jirassl/s/en_US3u0el9/64026/4/4.3.10/_/download/resources/com.atlassian.applinks.applinks-plugin:applinks-images/images/types/16stash.png"
   inboundStatus: "UNKNOWN"
   local2LOConfigured: "NOT_TESTED"
   name: "Stash"
   outboundStatus: "UNKNOWN"
   remote2LOConfigured: "NOT_TESTED"
   supportedVersion: false
   type: "Stash"
   working: false
   devToolsDocoUrl: "https://docs.atlassian.com/jira/docs-064/Integrating+JIRA+with+Code+Development+Tools"
   dvcsDiagnosticResult: {pluginConnected: true, dvcsAccountDiagnosticResults: []}
   dvcsAccountDiagnosticResults: []
   pluginConnected: true
   
   

Notes

1. No errors in both JIRA and Bitbucket Server logs.
2. Removing the security constraint on Bitbucket Server, and then restarting, fixes the problem.
3. Note that all other applink functionality (dev panel, viewing JIRA issues in Stash etc) works without problems, only the Triggers are affected by this.

Workaround

There is no workaround if you absolutely need to include the security constraint in Bitbucket Server.
In contrast, the workaround is to remove the constraint for Bitbucket Server only.