Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Can't set HTTP request authorization header using REST endpoint in scriptrunner for jira server

Ivo Bernardino July 3, 2020

I'm trying to set an HTTP request authorization header through the REST endpoint option in scriptrunner for Jira server, to get a crumb from a jenkins server:

triggerJenkinsBuild3(httpMethod: "GET") { MultivaluedMap queryParams ->

//try 1
def authString = "admin:password".bytes.encodeBase64().toString()
//try 2
String userCredentials = "admin:password"
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()))
//try 3
byte[] encodedBytes = Base64.getEncoder().encode(userCredentials.getBytes())
String basicAuth2 = "Basic " + new String(encodedBytes)
// try 4
final byte[] authBytes = userCredentials.getBytes(StandardCharsets.UTF_8)
final String encoded = Base64.getEncoder().encodeToString(authBytes)
String basicAuth3 = "Basic " + encoded

URL url
def baseURL = 'http://localhost:8080/crumbIssuer/api/json'
url = new URL(baseURL)
HttpURLConnection connection = (HttpURLConnection) url.openConnection()

connection.requestMethod = "GET"
connection.doOutput = true
connection.setRequestProperty("Authorization", "Basic "+ authString)
connection.addRequestProperty("Content-Type", "application/json;charset=UTF-8")

// check headers b4 connection
def checkHeadersB4Request = []
for (String header : connection.getRequestProperties().keySet()) {
if (header != null) {
for (String value : connection.getRequestProperties().get(header)) {
checkHeadersB4Request << header + ":" + value
}
}
}

connection.connect()

if (connection.getResponseCode() == 200 || connection.getResponseCode() == 201 || connection.getResponseCode() == 202 || connection.getResponseCode() == 203 || connection.getResponseCode() == 204) {

Response.ok(checkHeadersB4Request).build()

} else {

Response.status(Response.Status.NOT_FOUND).entity(connection.getResponseCode()).build()
}
}

As you can see, I'm checking ALL the headers of the request (notice checkHeardersB4Request var) before sending it, and I am surprised with the output, since the Authorization header does not show up as opposed to the Content-Type header:

Untitled.png

I tried several ways to achieve this (notice try 1, try 2, etc), but I always get the same result, all the headers get associated with the request, except the Authorization header.

NOTE: I know that the Content-Type header is not necessary in order to do this, I just added it to illustrate the issue a little bit better.

1 answer

0 votes
Ivo Bernardino July 7, 2020

According to this stackoverflow link (https://stackoverflow.com/questions/2864062/getrequestpropertyauthorization-always-returns-null) it seems like the authorization header always returns null when using the getRequestProperties() method due to a security feature of the httpURLConnection class. This explains my issue.

 

Is there another way of checking if an authorization header is correctly associated with a certain request???

Ivo Bernardino July 7, 2020

Well, I still don't know how to answer this question, but now I'm sure that my request has the authorization header associated with it because I was able to trigger a Jenkins build through Jira (XRAY project).

It turns out I had a crumb problem, which I resolved by installing an add-on to jenkins (strict crumb issuer) and turned off the check the session ID feature:

Untitled.png

Turning off security features is far from being a best practice, but at least it means that I'm doing something correctly. Will continue to improve my solution. Hopefully someone finds this monologue helpful in some way =)

Suggest an answer

Log in or Sign up to answer