Details
-
Bug
-
Resolution: Timed out
-
Medium
-
None
-
4.3, 4.4
-
JIRA 4.4 in Studio August release
-
4.03
-
Severity 2 - Major
-
-
Description
When logging in via REST, (as per http://confluence.atlassian.com/display/JIRADEV/JIRA+REST+API+%28Alpha%29+Tutorial#JIRARESTAPI%28Alpha%29Tutorial-UserAuthentication ), clients call the http://hostname/rest/auth/ resource. They then take the JSESSIONID from the response body and use it for authentication on subsequent calls.
However, when authenticating to a JIRA instance that is using Crowd SSO (e.g. JIRA inside Studio), JESSSIONID is not enough - they also need to have the Crowd token in order to correctly authenticate. This means that a REST client tested against a normal JIRA instance will fail against SSO-enabled instances.
I think we should either modify the auth method to return SSO cookies as well, or remove the JSESSIONID from the body and force clients to pick up all cookies from the header.