Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Gaining WebSudo access while using rest/api/2

I'm using a groovy script together with the rest/api/2 to try and delete a user from a group. The call to DELETE rest/api/2/group/user return status 401 with the message "This resource requires WebSudo.". Since I didn't see anyway to use the rest/api/2 to gain WebSudo I tried creating a POST request to websudoauthenticate, with the session id and atlassian token in the cookie tag of the header taken from the authentication call I made previously.

I get a 302 Found response, but still can do the delete. 

Is this the right way to go about gaining WebSudo rights in a script?

Here are my calls:

basic authorization:

def resp = get(headers: ['Authorization': "Basic ${authString}"],
        path: "${rest_api_prefix}myself")
resp.getHeaders('Set-Cookie').each {
    String cookie = it.value.split(';')[0]
    println (cookie.toString())
    def parts =  cookie.split("=")
    if (parts[0] == "atlassian.xsrf.token") {
        atlassian_session_cookie = parts[1]
        println "found atlassian session cookie $atlassian_session_cookie"
assert resp.status == 200

trying to get WebSudo

def cookie_string = cookies.join(";")
def resp = post(
        path : 'secure/admin/WebSudoAuthenticate.jspa',
        headers: ['Cookie': cookie_string,
                  'X-Atlassian-Token' : 'no-check'],
    requestContentType : URLENC,
    query : [webSudoPassword: config.rest_api_client.password,
             webSudoDestination: 'rest/api/2/group/user',
             webSudoIsPost: false,
             atl_token: atlassian_session_cookie]
assert resp.status == 302 // is this the status I should get?

trying to delete the user from the group

def issuesResponse = delete(
        path: '${rest_api_prefix}group/user',
        headers: ['Cookie': cookie_string],
        query: [groupname : aGroupname, username : aUsername ]

1 answer

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

I got this working with the following calls. I changed the above call to get WebSudo, removing unnecessary query parameters.

def cookie_string = cookies.join(";")
def resp
log.debug "Authorizing user with WebSudo: <${config.rest_api_client.username}"
resp =
     path : 'jira/secure/admin/WebSudoAuthenticate.jspa',
     headers: ['Cookie': cookie_string],
                requestContentType : URLENC,
                query : [webSudoPassword: config.rest_api_client.password.toString()]
assert resp.status == 302

And added the atlassian token to the delete request.

def resp = myRESTClient.delete(
        path: "${rest_api_prefix}group/user",
        headers: ['Cookie': cookie_string],
        query : [username: aUsername,
                 groupname: aGroupname,
                 atl_token: atlassian_session_cookie

This worked for me!

Works like a charm! Thanks a lot!


Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you