JIRA 5.1.3 and Juniper IVE (Instant Virtual Extranet)

Hi,

This is a long shot, but is anyone using JIRA 5.1.x with Juniper IVE for extranet access to JIRA?

After upgrading to JIRA 5.1.3 we're seeing an issue with Rapid Boards where a security exception is being thrown that is resulting in a blank page being displayed rather than the rapid board. The error being thrown is:

Security Error: Content at https://<juniper ive url>/secure/,DanaInfo=<jira url>,Port=8080+RapidBoard.jspa?rapidView=20&useStoredSettings=true may not load data from http://<jira url>:8080/secure/RapidBoard.jspa?rapidView=20.

so it looks like there's javascript being delivered to the client browser via the Juniper IVE url that contains calls to the backend JIRA url which are triggering some sort of cross site scripting protection.

Direct access to the rapid boards is all working fine, it's just when users are accessing via Juniper IVE that this problem is being reported.

If anyone is using Juniper IVE is there a setting to tell it to rewrite the URLs?

Cheers,

Andrew.

5 answers

1 accepted

0 votes
Accepted answer
We finally got a fix for this which required an upgrade of Juniper. Apparently Juniper cold not handle rewriting the HTML5 used by Rapid Boards, but an upgrade to 7.4R2 (build 24401), which had a specific fix for HTML5 rewriting, has fixed the issue.

Hi Andrew,

This error happens often when JIRA is running behind a proxy (not necessarily Juniper IVE). Would you make sure that the JIRA Base URL is set accordingly the FQDN from IVE?

Best regards,
Lucas Timm

Hi Lucas,

Ah, that makes sense, but I think that may break things for people who are not accessing via IVE? The majority of our users access JIRA directly using <JIRA url>, but a small number access via IVE using <IVE url>. If I change the base URL to <IVE url> that's going to break things for people accessing directly isn't it?

Cheers,

Andrew.

Andrew,

The answer for your question depends a lot of your internal environment.
Setting the JIRA BaseURL to the IVE's FQDN will enforce JIRA to lookup its internal references over IVE. If you have some user which are currently browsing JIRA through the direct URL but have no access to IVE, they will see many misbehaviors in JIRA (in dashboard, gadgets, etc).

Best regards,
Lucas Timm

Thanks Lucas. Brain not functioning correctly today :/ Was told everything was working with current config on 4.4.4, but broke with 5.1.3 now I'm not so sure. More testing at my end I think.

Brain slightly more in gear, but I don't think changing the Base URL is going to work for this. With Juniper IVE the URLs are of the form:

https://portal.mycompany.com/secure/,DanaInfo=jira.mycompany.com,Port=8080+Dashboard.jspa

i.e. the URL, port and path are parameters to the Juniper IVE URL rather than Juniper just masking the backend hostname.

With the base URL set to jira.mycompany.com Juniper is correctly rewriting *most* of the URLs to the portal.mycompany.com/secure/,DanaInfo.... format, but for the URLs on the Agile boards that are triggering the security error it's re-writing them as:

https://portal.mycompany.com/s/en_USozt91j/782/12/ce494a197ed0b0eae57d6525479972de/_/download/contextbatch/js/gh-rapid/,DanaInfo=jira.mycompany.com,Port=8080,CT=js+batch.js

rather than:

https://portal.mycompany.com/secure/,DanaInfo=jira.mycompany.com,Port=8080+s/en_USozt91j/782/12/ce494a197ed0b0eae57d6525479972de/_/download/contextbatch/js/gh-rapid/batch.js

i.e. it's sticking the path to batch.js in the wrong place.

More digging to find out if there's a pattern to URLs it rewrites correctly and ones it doesn't.

Andrew.

Hi,

We are using jira behind juniper sa too. And got the same errors.

We tried to rewrite the js scripts or use proxy mode / proxy server, but no chance to get running properly.

It would be nice to get Jira running properly behind SSL-VPN's like Juniper SA.

For us it is not an option to change the fqdn in Jira.

The dashboard with the gadgets and issue navigator and project view are working fine. Only the Agile and Rapidboard stuff does not working fine.

Thanks,

Hi,

Anybody who have resolved this issue without changing JIRA base URL?

Kerem

I am also running into this issue since upgrading to Jira 5. I tried using updated the JIRA base URL with the fully qualified domain name and I still run into issues with the issue navigator and Green Hopper.


Any suggestions for things to try would be appreciated.

Our IT dept upgraded the firmware to Juniper 8.0R1 recently and it resolved this issue. Thanks Andrew for the solution.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,911 views 19 22
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you