Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

REST API plugin with redirect through Jira's login page

Paul Woolley
Paul Woolley June 19, 2018

Hi all.

I have developed a simple REST API plugin for Jira server 7.9 that exposes a protected resource (i.e. the method does not have the @AnonymousAllowed annotation on it).

Let's say the protected resource is found at /rest/myrestresource/latest/message

Imagining a browser was trying to GET this resource, and the user was not logged in to Jira Server or otherwise did not have a valid cookie, what I would like to happen is this:

  1. Browser does a GET request on /rest/myrestresource/latest/message.
  2. No valid cookie is sent, the user is not authenticated, so Jira Server responds with something like a 303 redirect and the browser redirects the user to Jira's login page.
  3. The user logs in through Jira's login page, gets a valid cookie, and the now authenticated user is automatically forwarded on to the original /rest/myrestresource/latest/message.

I have seen this behaviour with other plugins (ones that are installed under /plugins/servlet/..., not specifically REST API plugins), but when looking at their source code, it's not obvious to me where this behaviour comes from.

I've also seen that the login page has some capability to forward to a url after logging in using /login.jsp?os_destination={somewhere}, but I just can't see how to put it all together in my case.

Can anybody shed any light on if this is possible with REST API plugins and, if so, how to implement it?

Thanks in advance, Paul.

Answer
Watch
Like Azhak Anwar likes this
2222 views

1 answer

1 accepted

0 votes
Answer accepted
Paul Woolley
Paul Woolley July 5, 2018

Solved this problem in a slightly different way in the end by creating a plain, servlet based JIRA plugin using...

atlas-create-jira-plugin

...instead of a REST API type plugin from...

atlas-create-refapp-plugin

By using the plain, servlet based type of JIRA plugin, there was no authentication filter getting in the way of calling my servlet's doGet method. I was able to have full access to the request and response objects through the doGet method signature:

@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {
 ...
}

I was then able to do things like check if the request was from a logged in user with:

ComponentAccessor.getJiraAuthenticationContext().isLoggedInUser()

...and redirect incoming requests for non-logged in users...

resp.sendRedirect("/login.jsp?os_destination=" + URLEncoder.encode(returnUrl, "UTF-8"));

N.B. I found that the redirect after the login page would only work if the returnUrl was back to my servlet and not, e.g., Google or somewhere else.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events