Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-15461

When Jira Service Management is installed the wrong HTTP status code is sent when an unauthenticated request is made to Jira Core/Software REST API endpoints

XMLWordPrintable

      Issue Summary

      When Jira Service Management is installed, requests to Jira REST API may be answered with HTTP 302 instead of HTTP 401.

      Steps to Reproduce

      1. Install a vanilla instance of Jira Software Data Center.
        • This was validated on Jira 9.4, 9.12 and 9.17, but certainly occurred on later versions.
      2. Add a regular user without any application access; i.e. user001.
      3. Create a sample business project; i.e BUZ.
      4. Run a GET request to one of the issues from the BUZ project authenticating as user001. 
        curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'
      5. Note the response is an HTTP 401 Unauthorized. 
        curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'


HTTP/2 401 
date: Mon, 22 Jul 2024 17:06:40 GMT
content-type: text/html;charset=UTF-8
x-arequestid: 1026x5299x1
x-anodeid: mycluster1
referrer-policy: strict-origin-when-cross-origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
strict-transport-security: max-age=31536000
x-seraph-loginreason: AUTHORISATION_FAILED
www-authenticate: OAuth realm="https%3A%2F%2F<...redacted...>"
x-asessionid: 1h5expo
      6. As a Jira administrator, go to Administration > Applications > Versions & licenses.
      7. Install Jira Service Management and apply a valid JSM license.
      8. Run a GET request to one of the issues from the BUZ project authenticating as user001. 
        curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'

      Expected Results

      The HTTP response remains the same, being a 401 - Unauthorized or 403 - Forbidden

      Actual Results

      The response is an HTTP 302 Found redirecting the user to the customer portal.

      curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'


HTTP/2 302 
date: Mon, 22 Jul 2024 17:23:54 GMT
content-type: text/html;charset=UTF-8
x-arequestid: 1043x6003x1
x-anodeid: mycluster1
referrer-policy: strict-origin-when-cross-origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
strict-transport-security: max-age=31536000
x-seraph-loginreason: OK
x-asessionid: v2xd3s
x-ausername: user001
location: /servicedesk/customer/portals



      This may break integrations as they would be expecting a different HTTP response for this situation.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available.

              Unassigned Unassigned
              tmasutti Thiago Masutti
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: