When Jira Service Management is installed the wrong HTTP status code is sent when an unauthenticated request is made to Jira Core/Software REST API endpoints

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Issue Summary

      When Jira Service Management is installed, requests to Jira REST API may be answered with HTTP 302 instead of HTTP 401.

      Steps to Reproduce

      1. Install a vanilla instance of Jira Software Data Center.
        • This was validated on Jira 9.4, 9.12 and 9.17, but certainly occurred on later versions.
      2. Add a regular user without any application access; i.e. user001.
      3. Create a sample business project; i.e BUZ.
      4. Run a GET request to one of the issues from the BUZ project authenticating as user001. 
        curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'
      5. Note the response is an HTTP 401 Unauthorized. 
        curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'


HTTP/2 401 
date: Mon, 22 Jul 2024 17:06:40 GMT
content-type: text/html;charset=UTF-8
x-arequestid: 1026x5299x1
x-anodeid: mycluster1
referrer-policy: strict-origin-when-cross-origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
strict-transport-security: max-age=31536000
x-seraph-loginreason: AUTHORISATION_FAILED
www-authenticate: OAuth realm="https%3A%2F%2F<...redacted...>"
x-asessionid: 1h5expo
      6. As a Jira administrator, go to Administration > Applications > Versions & licenses.
      7. Install Jira Service Management and apply a valid JSM license.
      8. Run a GET request to one of the issues from the BUZ project authenticating as user001. 
        curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'

      Expected Results

      The HTTP response remains the same, being a 401 - Unauthorized or 403 - Forbidden

      Actual Results

      The response is an HTTP 302 Found redirecting the user to the customer portal.

      curl -I \
  -u user001:user001 \
  '<Jira-Base-URL>/rest/api/latest/issue/BUZ-1'


HTTP/2 302 
date: Mon, 22 Jul 2024 17:23:54 GMT
content-type: text/html;charset=UTF-8
x-arequestid: 1043x6003x1
x-anodeid: mycluster1
referrer-policy: strict-origin-when-cross-origin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
strict-transport-security: max-age=31536000
x-seraph-loginreason: OK
x-asessionid: v2xd3s
x-ausername: user001
location: /servicedesk/customer/portals



      This may break integrations as they would be expecting a different HTTP response for this situation.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available.

            Assignee:
            Unassigned
            Reporter:
            Thiago Masutti (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: