[JSDSERVER-15461] When Jira Service Management is installed the wrong HTTP status code is sent when an unauthenticated request is made to Jira Core/Software REST API endpoints

Type: Bug
Resolution: Unresolved
Priority: Low
Fix Version/s: None
Affects Version/s: 5.4.0, 5.12.0, 5.17.0
Component/s: API and Integrations, Customer Portal
Labels:
- ril

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

When Jira Service Management is installed, requests to Jira REST API may be answered with HTTP 302 instead of HTTP 401.

Steps to Reproduce

Install a vanilla instance of Jira Software Data Center.
- This was validated on Jira 9.4, 9.12 and 9.17, but certainly occurred on later versions.
Add a regular user without any application access; i.e. user001.
Create a sample business project; i.e BUZ.

Run a GET request to one of the issues from the BUZ project authenticating as user001.

curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'

Note the response is an HTTP 401 Unauthorized.

curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'


HTTP/2 401 
date: Mon, 22 Jul 2024 17:06:40 GMT
content-type: text/html;charset=UTF-8
x-arequestid: 1026x5299x1
x-anodeid: mycluster1
referrer-policy: strict-origin-when-cross-origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
strict-transport-security: max-age=31536000
x-seraph-loginreason: AUTHORISATION_FAILED
www-authenticate: OAuth realm="https%3A%2F%2F<...redacted...>"
x-asessionid: 1h5expo

As a Jira administrator, go to Administration > Applications > Versions & licenses.
Install Jira Service Management and apply a valid JSM license.

Run a GET request to one of the issues from the BUZ project authenticating as user001.

curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'

Expected Results

The HTTP response remains the same, being a 401 - Unauthorized or 403 - Forbidden

Actual Results

The response is an HTTP 302 Found redirecting the user to the customer portal.

curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'


HTTP/2 302 
date: Mon, 22 Jul 2024 17:23:54 GMT
content-type: text/html;charset=UTF-8
x-arequestid: 1043x6003x1
x-anodeid: mycluster1
referrer-policy: strict-origin-when-cross-origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
strict-transport-security: max-age=31536000
x-seraph-loginreason: OK
x-asessionid: v2xd3s
x-ausername: user001
location: /servicedesk/customer/portals

This may break integrations as they would be expecting a different HTTP response for this situation.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available.

relates to

CONFSERVER-78631 Jira issues macro fails to render with IOException error if the user doesn't have any Jira application access and Jira Service Management is installed

Gathering Impact

BSERV-13660 The error message in Jira issue preview in Bitbucket is misleading in case of the user doesn't have access to Jira

Long Term Backlog

links to

Internal ticket

Marc Dacanay made changes - 31/Oct/2024 6:22 AM

Labels

Original: ltsr ril

New: ril

Marc Dacanay made changes - 14/Oct/2024 11:47 PM

Labels

Original: ltsr

New: ltsr ril

Marc Dacanay made changes - 14/Oct/2024 11:47 PM

Remote Link

New: This issue links to "Internal ticket (Web Link)" [ 956108 ]

Marc Dacanay made changes - 06/Aug/2024 11:18 AM

Labels

New: ltsr

SET Analytics Bot made changes - 24/Jul/2024 4:04 AM

Support reference count

New: 1

Bartosz Ornatowski made changes - 23/Jul/2024 1:35 AM

Status

Original: Needs Triage [ 10030 ]

New: Gathering Impact [ 12072 ]

Thiago Masutti (Inactive) made changes - 22/Jul/2024 7:17 PM

Link

New: This issue relates to CONFSERVER-78631 [ CONFSERVER-78631 ]

Thiago Masutti (Inactive) made changes - 22/Jul/2024 7:16 PM

Link

New: This issue relates to BSERV-13660 [ BSERV-13660 ]

Thiago Masutti (Inactive) created issue - 22/Jul/2024 7:09 PM

Assignee:: Unassigned

Reporter:: Thiago Masutti (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 22/Jul/2024 7:09 PM

Updated:: 31/Oct/2024 6:22 AM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates