-
Bug
-
Resolution: Fixed
-
High
-
2.3.3
-
Severity 1 - Critical
-
NOTE: This bug report is for JIRA Service Desk Server. Using JIRA Service Desk Cloud? See the corresponding bug report.
We have a plugin that injects some javascript into SD customer portal. This plugin embellishes some custom fields with HTML generated based on REST calls to the plugin's REST endpoints.
Our customer reported that their 'customer' users do not the proper embellishments, instead they get some Javascript error. It turned out that when a user who is not in jira-users (an SD 'customer') is accessing the page with our plugin on it, the plugin makes a REST call that gets 302-redirected to /servicedesk/customer/portal/1. Which means that everything gets broken. Adding @AnonymousAllowed annotation to the plugin's endpoint does not help, as it only works when the user is actually not logged-in. When they log in, apparently SD servlet filter (or whatever) redirects blindly to a bad place.
This is breaking our plugin in very bad ways and we are likely losing sales because of this.
Are there any workarounds for this behaviour? I have tried injecting a serlet filter, but it is not being invoked.
The plugin in question is https://marketplace.atlassian.com/plugins/com.spartez.jira.plugins.ephor-for-jira, but the behaviour can be trivially reproduced with any plugin that has a REST endpoint. Just log in as an SD 'customer' and go to plugin's REST endpoint
- relates to
-
-
- Closed
-
-
![[JIRA Server (Bulldog)]](/images/icons/generic_link_16.png "[JIRA Server (Bulldog)]")
JSDS-81
You do not have permission to view this issue
- depends on
-
SDECO-318 Failed to load
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-1640] SD redirects calls to any plugin's REST endpoints to /servicedesk/customer/portal/1
maybe this helps:
i was having the same problem and this worked.
In order for a plugin's REST paths to be available to customers, the plugin need this in atlassian-plugin.xml:
<!-- Allow the REST paths to run in customer context by default. We can opt out specifically inside it -->
<customercontext key="<some key>" path="/rest/<foo-bar>">
<uri regex="/.*"/>
</customercontext>
There are also two annotations that can be used to control whether a Resource or Resource Method is run in CustomerContext or not:
com.atlassian.servicedesk.api.rest.annotations.RunInCustomerContext
and
com.atlassian.servicedesk.api.rest.annotations.RunOutOfCustomerContext
JSD-970 says that RedirectExternalCustomerToPortalFilter is doing this. Is there a way to choke it for my plugin's REST endpoints? I would really want to handle these calls, even if users are not jira-users
Hi there,
We have the same problem, but with a servlet. We send the link to a servlet in our plugin, and when users click the link, they go to jira, and jsd (if present) redirects them to the portal. They cannot use our plugin.
The thing with the workaround given above is that it forces to add a servicedesk dependency to our plugin, which does not require one. And it also ties the plugin to a JSD version, and a JIRA version.
Currently our plugin works on JIRA 6.3 to JIRA 7.2. I'm not using atlassian-scanner or any new things (spring context with usual spring component scan).
But adding a dependency to JIRA Atlassian service desk rest annotations plugin generates during build a spring.xml file which contains Atlassian scanner 2 references which :
Is there another way to protect REST/servlet calls for customers and/or simply for users not yet logged in ?
Is there a way to remove the generated spring.xml file with a xmlns:atlassian-scanner dependency during build ?