It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

CORS issues with JIRA REST API even after adding to whitelist

First of all, I apologize if anything I'm doing may seem extremely stupid (for lack of a better word) or wrong, as I have never developed a plugin before and don't work much in this area. 

I'm attempting to develop a plugin that has a button on a JIRA issue related to a test case and it will kick off a Jenkins build for the particular test case. When trying to use the JIRA REST API, I get errors regarding the CORS headers. I added localhost (since this is where I'm developing the plugin) to JIRA whitelist. I even went as far as to add many different variations since it still wasn't working.

After fixing this issue, I began experiencing authentication issues. The button executes some javascript code so from what I have seen, it doesn't seem like it's really possible to send authentication through javascript. So, I decided to use the auth/1/session login which does: 

Creates a new session for a user in JIRA. Once a session has been successfully created it can be used to access any of JIRA's remote APIs and also the web UI by passing the appropriate HTTP Cookie header.

Note that it is generally preferrable to use HTTP BASIC authentication with the REST API. However, this resource may be used to mimic the behaviour of JIRA's log-in page (e.g. to display log-in errors to a user).

I attempted to do so this way:

var credentials = {"username": "admin", "password": "admin"};
var authURL = "http://localhost:2990/jira/auth/1/session";

var postClient = new XMLHttpRequest();"POST", authURL, false);
postClient.setRequestHeader("Content-type", "application/json");

postClient.onreadystatechange = function () {
    if(postClient.readyState == 4) {

but when I tried this I got:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. 

which is more or less the same, but sort of different I guess. I'm kind of at my witt's end here so, any help is greatly appreciated.

2 answers

I'm facing the same situation, I even tried to enable CORS in Tomcat and still I get the forbidden response, the whitelist simply doesn't work, I can turn it off completely and still receive the 403 forbidden response. Will keep looking into it and post the results.

I am also having this issue, have tried adding domains to the whitelist, disabling the whitelist completely and adding CORS filters to tomcat. Restarting the services each time. It appears that the whitelist just dosent work. Tried IPs and domain names. 

Any suggestions on what I could be missing here?

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Jira

Jira Cloud for Google Sheets: Automatically Refresh Your Data!

Remember that time you realized it was possible to refresh your Jira data in Google sheets with just one click? What if we told you that you can now get the latest data with no clicks at all?! Zero! ...

610 views 3 13
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you