disable XSRF check property has no effect on REST API

When disable the xsrf through the property in jira.xsrf.enabled=false in jira-config.properties according to the page, it doesn't stop the xsrf checking when using JIRA REST API. However, the property took effect when you try some operation in the form of the browser.

Steps to Reproduce:

1. Set jira.xsrf.enabled=false in jira-config.properties
2. Startup JIRA
3. Double check the system info and verify that the property is pick up by JIRA
4. Try to run the following cURL command without the "X-Atlassian-Token: nocheck" header:

   curl -D- -u admin:admin -X POST -F "file=@data.json" http://localhost:8605/rest/api/2/issue/TEST-10/attachments
   

1. The POST request will failed due to XSRF check:

   HTTP/1.1 100 Continue
   
   HTTP/1.1 404 Not Found
   Server: Apache-Coyote/1.1
   X-AREQUESTID: 930x34x1
   Set-Cookie: JSESSIONID=A0C11B22160D0CD729FF185C4BD54513; Path=/; HttpOnly
   X-Seraph-LoginReason: OK
   Set-Cookie: atlassian.xsrf.token=BJIT-YH5P-D3D6-OSCL|f436cd5126041ca4a65e8fda582a808e2866a8f4|lin; Path=/
   X-ASESSIONID: ill5f2
   X-AUSERNAME: admin
   Cache-Control: no-cache, no-store, no-transform
   Content-Type: text/html;charset=UTF-8
   Transfer-Encoding: chunked
   Date: Wed, 11 Sep 2013 07:30:43 GMT
   
   XSRF check failed
   

Expected Result:

The POST request should work and attachment succesfully add to the issue as the XSRF check has been disabled in JIRA.

Actual Result:

The POST request failed with 404 error due to XSRF check failed.

Note:

The POST will works right after you add in the token header:

curl -D- -u admin:admin -X POST -H "X-Atlassian-Token: nocheck" -F "file=@data.json" http://localhost:8605/rest/api/2/issue/TEST-10/attachments

On recent versions of Jira the header should be X-Atlassian-Token: no-check