CORS issues with JIRA REST API even after adding to whitelist

First of all, I apologize if anything I'm doing may seem extremely stupid (for lack of a better word) or wrong, as I have never developed a plugin before and don't work much in this area. 

I'm attempting to develop a plugin that has a button on a JIRA issue related to a test case and it will kick off a Jenkins build for the particular test case. When trying to use the JIRA REST API, I get errors regarding the CORS headers. I added localhost (since this is where I'm developing the plugin) to JIRA whitelist. I even went as far as to add many different variations since it still wasn't working.

After fixing this issue, I began experiencing authentication issues. The button executes some javascript code so from what I have seen, it doesn't seem like it's really possible to send authentication through javascript. So, I decided to use the auth/1/session login which does: 

Creates a new session for a user in JIRA. Once a session has been successfully created it can be used to access any of JIRA's remote APIs and also the web UI by passing the appropriate HTTP Cookie header.

Note that it is generally preferrable to use HTTP BASIC authentication with the REST API. However, this resource may be used to mimic the behaviour of JIRA's log-in page (e.g. to display log-in errors to a user).

I attempted to do so this way:

var credentials = {"username": "admin", "password": "admin"};
var authURL = "http://localhost:2990/jira/auth/1/session";

var postClient = new XMLHttpRequest();
postClient.open("POST", authURL, false);
postClient.setRequestHeader("Content-type", "application/json");
postClient.send(credentials);

postClient.onreadystatechange = function () {
    if(postClient.readyState == 4) {
        console.log(postClient.responseText);
    }
}

but when I tried this I got:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. 

which is more or less the same, but sort of different I guess. I'm kind of at my witt's end here so, any help is greatly appreciated.

2 answers

I'm facing the same situation, I even tried to enable CORS in Tomcat and still I get the forbidden response, the whitelist simply doesn't work, I can turn it off completely and still receive the 403 forbidden response. Will keep looking into it and post the results.

I am also having this issue, have tried adding domains to the whitelist, disabling the whitelist completely and adding CORS filters to tomcat. Restarting the services each time. It appears that the whitelist just dosent work. Tried IPs and domain names. 

Any suggestions on what I could be missing here?

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,774 views 11 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot