Details
-
Bug
-
Resolution: Not a bug
-
Medium
-
None
-
3.11
-
JIRA instance running over SSL.
I tested on https://support.atlassian.com and also on a support customer's site.
-
3.11
-
Description
Summary: If running JIRA over SSL, if your RSS feed is for an unsaved filter, you need to add the "&os_authType=basic" in order to be prompted for authentication, however if your RSS feed is for a saved filter, you do not.
In Firefox:
1. Make sure that you are logged out of https://support.atlassian.com (a JIRA instance running over SSL).
2. Click on the following link, which is the RSS feed for an issue filter that has not been saved:
JIRA will return an empty RSS feed (even though some issues do match the filter), without prompting for credentials. Given that it is running over SSL, I would have thought that the browser would have prompted me for credentials. Intuitively, that is what I would expect.
3. Try instead the following link, which is the RSS feed for an issue filter that has been saved:
The browser will in this case prompt for authentication, and after authenticating you will get the RSS feed for the matching set of issues.
4. Go to https://support.atlassian.com and log out. Then close and restart Firefox.
5. Try the following link, which is the one from step 2 (RSS feed from an unsaved filter), but with "&os_authType=basic" appended to the URL:
This time it does prompt you for credentials, and after authenticating you will get the RSS feed for the matching set of issues.
(Note that for a JIRA instance not running over SSL but still requiring authentication, if you request an RSS feed without supplying an &os_authType=basic as part of the URL, you get an empty feed.)
Back in step 3, when the feed was for a saved filter (without specifying "&os_authType), after you have authenticated and received the feed, the URL in the browser is:
Note the "&os_authType=basic" at the end. So it looks like a re-direction has happened in which we have specified that basic authentication is required, and that this re-direction does not happen if the RSS feed is for an unsaved filter.
This is confirmed by using Live Headers to look at the HTTP Headers for the request for the RSS feed for the saved filter. They include a 301 request. There is no such request in the headers for the unsaved filter RSS request.
https://support.atlassian.com/sr/jira.issueviews:searchrequest-rss/11812/SearchRequest-11812.xml?tempMax=1000 GET /sr/jira.issueviews:searchrequest-rss/11812/SearchRequest-11812.xml?tempMax=1000 HTTP/1.1 Host: support.atlassian.com User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: jira.conglomerate.cookie=; JSESSIONID=aT9GpSjplOp98Hu8_x HTTP/1.x 301 Moved Permanently Date: Fri, 02 Nov 2007 05:59:57 GMT Server: Apache/2.0.52 (Red Hat) Location: https://support.atlassian.com/sr/jira.issueviews:searchrequest-rss/11812/SearchRequest-11812.xml?os_authType=basic Content-Length: 0 Content-Type: text/html; charset=UTF-8 Connection: close ---------------------------------------------------------- https://support.atlassian.com/sr/jira.issueviews:searchrequest-rss/11812/SearchRequest-11812.xml?os_authType=basic GET /sr/jira.issueviews:searchrequest-rss/11812/SearchRequest-11812.xml?os_authType=basic HTTP/1.1 Host: support.atlassian.com User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: jira.conglomerate.cookie=; JSESSIONID=aT9GpSjplOp98Hu8_x HTTP/1.x 401 Unauthorized Date: Fri, 02 Nov 2007 05:59:58 GMT Server: Apache/2.0.52 (Red Hat) WWW-Authenticate: BASIC realm="protected-area" Content-Length: 0 Content-Type: text/html; charset=UTF-8 Connection: close ---------------------------------------------------------- https://support.atlassian.com/sr/jira.issueviews:searchrequest-rss/11812/SearchRequest-11812.xml?os_authType=basic GET /sr/jira.issueviews:searchrequest-rss/11812/SearchRequest-11812.xml?os_authType=basic HTTP/1.1 Host: support.atlassian.com User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: jira.conglomerate.cookie=; JSESSIONID=aT9GpSjplOp98Hu8_x Authorization: Basic aWRhbmllbDpIaWtXYWZhaQ== HTTP/1.x 200 OK Date: Fri, 02 Nov 2007 06:00:00 GMT Server: Apache/2.0.52 (Red Hat) Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/xml;charset=UTF-8 Connection: close Transfer-Encoding: chunked ----------------------------------------------------------
I got the same results in the following feed readers:
- Internet Explorer
- Thunderbird
- Feedreader (http://www.feedreader.com)
The issue is much more significant for non-browser-based feed readers (e.g. Thunderbird and Feedreader), since for browsers, when you click on the link for an RSS feed from JIRA, it is usually from within JIRA, in which case you will have authenticated already.
(I was unable to test this in Outlook 2007, as I cannot get a JIRA RSS feed running over SSL working in Outlook 2007. This may or may not be a bug. I need to do more testing.)
I got the same results when using a support customer's Internet-facing JIRA instance running over SSL.
So, I think it is a bug, because intuitively, if I enter a URL for a web site that is running over SSL, and I have not authenticated yet, I expect to be prompted for authentication, either in a web page (form-based authentication), or with the browser (or feed reader) prompting me (basic authentication).
If you end up deciding that is is not a bug, however, we need to update our documentation - the Accessing protected data section of http://www.atlassian.com/software/jira/docs/latest/navigatorviews.html - to indicate that, even if running over SSL, you should append the "&os_authType=basic" if your RSS feed is for an unsaved filter. Or we could say to always do it, including when running over SSL.
Attachments
Issue Links
- is related to
-
JRASERVER-14472 Add "&os_authType=basic" to the RSS feeds links in JIRA by default
- Closed
