Cross Origin Resource Sharing with JIRA REST API and Javascript

Michael Beasley July 12, 2012

I'm trying to create a web-based issue submission form outside of the JIRA UI (on another local server). I'm attempting to connect to the REST API use javascript and common AJAX methods. When I simply put the API url in a browser address bar, I get the expected JSON returned.

But when I attempt to access the same URL via AJAX, I get

XMLHttpRequest cannot load http://mylocalurl:8008/rest/api/2/priority. Origin http://mylocalurl is not allowed by Access-Control-Allow-Origin.

I believe this to be a cross origin resouce sharing issue with the JIRA servet, but I'm not sure how to rectify it in TomCat. Here's some more info on CORS if it helps: http://enable-cors.org/

Any help would be greatly appreciated. Thanks in advance!

7 answers

1 accepted

7 votes
Answer accepted
Michael Beasley July 31, 2012

So I eventually found a solution. Kind of a pain though.

  1. First, you have to download, install and configure this CORS filter for the Tomcat server: http://software.dzhuvinov.com/cors-filter.htm
  2. You'll have to add some XML to your server config to permit access to various paths associated with the REST API:
    <filter-mapping>
        <filter-name>CORS</filter-name>
        <url-pattern>/rest/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>CORS</filter-name>
        <url-pattern>/plugins/*</url-pattern>
    </filter-mapping>

    You could, instead, just put * and allow access to the entire server, on all paths.

  3. I had to configure the JIRA CORS filter to permit Authorization type headers. This was to address a "bug" in Chrome (I would say it's less of a bug and more of a web standard that Chrome follows that no one else does...).
    <init-param>
        <param-name>cors.supportedHeaders</param-name>
        <param-value>Origin, Accept, Authorization, Content-Type, X-Requested-With</param-value>
    </init-param>
  4. Lastly, just make sure that the CORS filter is configured to allow the various http methods that you intend to use. I think OPTIONS is a method that is used in some browsers to authorize the request and you should have it enabled.

I'm a little frustrated with the fact that JIRA has a REST API for remote access to the server, but doesn't permit CORS. I think that that should be incorporated.

Anyhow, good luck.

Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 21, 2014

@Michael: Is this solution applicable to JIRA standalone installations?

Rahul

Laszlo Kremer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 4, 2014

If you found a solution to a problem, please provide well-written resolution. If you write "add some XML" then please tell us which files should be affected, and knowing that the web.xml has a lot of warnings that you shouldn't change several parts of it, please tell us the exact locaton of the file where you put the filters. Some of us is only asked to enable CORS, but never messed with the web.xml.

Like Upasna_Bassi likes this
Laszlo Kremer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 5, 2014

How to do it: * download the cors-filter-2.1.2.jar and java-property-utils-1.9.1.jar from http://software.dzhuvinov.com/cors-filter-installation.html * copy them under JIRA\atlassian-jira\WEB-INF\lib\ on your JIRA server * open JIRA\atlassian-jira\WEB-INF\web.xml and add these lines *after </description> but before <!-- Filters -->* <filter> <filter-name>CORS</filter-name> <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> <init-param> <param-name>cors.supportedHeaders</param-name> <param-value>Accept, Authorization, Origin, Content-Type, X-Requested-With</param-value> </init-param> </filter> <filter-mapping> <filter-name>CORS</filter-name> <url-pattern>/rest/*</url-pattern> </filter-mapping> * Restart your JIRA server This *will* work, and can be a good starting point if you only need to enable on a JIRA server. It will not work between applications which do have application link between them eg.: JIRA and Confluence can have Application link between them, but if they have, you will not be able to run CORS request from Confluence to JIRA via a html macro as JIRA will respond twice as discussed here: https://answers.atlassian.com/questions/222396?src=search

Like Serhan Ekinci likes this
Yagnesh Bhat April 4, 2016

@Laszlo Kremer, your above comment really helped , but i get this error when I try to make more ajax calls from HipChat dialog: XMLHttpRequest cannot load https://<my JIRA server>/rest/get-jira-user-from-email/1.0/getJiraUserFromEmailId?useremail=jirauser%40company.com. The 'Access-Control-Allow-Origin' header contains multiple values 'https://<my JIRA server>:3000, https://<my JIRA server>:3000', but only one is allowed. Origin 'https://<my JIRA server>:3000' is therefore not allowed access.

Like # people like this
Simon Tost _TNG_ July 21, 2017
7 votes
justin.reherman June 12, 2013

I use Apache, running on the same host, as a proxy.

(for port 80 and 443 functionality. See: Integrating JIRA with Apache)

This effectivly breaks the advice given above. Until Atlassian enables support for CORS, I had to make a change to Apache instead of JIRA.

First: enable the headers module.

a2enmod headers

Then, in the vhost configuration:

Header set Access-Control-Allow-Origin "*"

Then restart/reload Apache for the changes to take effect.

You can replace"*" with whatever origin you would like to allow.

Note that in my situation I didn't have to make any change to the JIRA installation because the Apache Proxy lives on the same host as JIRA

Christian May 4, 2014

Hey Justin,

thank you for this advice it was very helpful. I just had to add the Access-Control-Allow-Headers to connect JIRA (6.2.3) with Confluence (5.5).

Header set Access-Control-Allow-Origin "https://jira.example.com"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"

Piyush_Annadate November 28, 2016

which one should I really go for: Apache method by Justin or Laszlo?

 

note: my JIRA is server and Tomcat is present

Piyush_Annadate November 28, 2016

Also - new to this: how to "I had to make a change to Apache instead of JIRA."?

5 votes
Thomas Maldoner April 24, 2017

Hi there.

First of all, thanks for the hints to CORS Filter - i guess i wouldnt have solved it on my own.

Anyway it took me some time to get it to work also with CORS filter so id like to summmarize what was needed to me:

  • Install CORS Filter like described above in /WEB-INF/lib (downloaded from https://mvnrepository.com/artifact/com.thetransactioncompany/cors-filter/2.5)
  • Configured web.xml - see below
  • Added Origin to JIRA Whitelist
  • Now i had some duplicated Headers in HTTP Response
  • I removed those on Apache Virtualhost which i use with ProxyPass for Tomcat
  • Set XMLHttpRequest.withCredentials to "true" on my client

    Apache Virtualhost:
SetEnvIf Origin "http(s)?://(www\.)?(.+)$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials "true"


Read "Header set" as "Remove duplicated Headers and add it a single time". Why i dont use "*" instead of dynamic Origin here? Its not allowed to combine "*" with XMLHttpRequest.withCredentials.

I think it could be left like this because if you remove Origin from JIRA Whitelist you end up with an 403 response.

web.xml Config:

<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>Accept, Authorization, Origin, Content-Type, X-Requested-With, Cookie</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, POST, OPTIONS, PUT, HEAD</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>

You dont need cors.allowedOrigins here because it will be set from JIRAs Whitelist.

In the end it took me about 12 hours including research to get JIRA REST Api to work with my Angular frontend. All of what i found out and what dozens of other developers researched before me could be built in or at very least be documented by Atlassian team especially because JIRA is packaged with Tomcat if you order a standalone version.

Its not only me trying to get this to work - over the last 3 days i found more than 30 reports on official atlassian community, asking for help.

This is kind of underwhelming.

Cheers Ben

pageflourin July 12, 2017

Hi,

may i ask assistance on how i can modifiy these file when i only have CLI?

1 vote
Trevor Reed October 18, 2016

This might be helpful, but I'm still having problems with preflight CORS requests.

https://confluence.atlassian.com/adminjiraserver071/configuring-the-whitelist-802593145.html

1 vote
Andriy Zhdanov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 6, 2012

I've asked for CORS support in JIRA: JRA-30371

Simon Tost _TNG_ July 21, 2017

Which was answered with: already present.
The suggestion was then cloned into JRASERVER-65362.

In parallel there is a Bug JRASERVER-59101

0 votes
Jonathan Yahoo July 31, 2012

thanks Michael, I realise now just how far short I was of getting this to work.

I'm going to look into moving my app into Jira as a plugin so as to avoid the CORS dependency.

much obliged,

Jonathan

0 votes
Jonathan Yahoo July 31, 2012

I have the same issue. I'm using ExtJS to consume the JSON, I think I've done everything at the javascript end to permit CORS but still no joy, so I suspect I need to get JIRA to issue a header along the lines of:

Access-Control-Allow-Origin: *

How do I get the JIRA web container to do this ?

anyone?


Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events