Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

XSRF check failed - 403

Sebastian Hermes
Sebastian Hermes June 16, 2020

Hi,

I want to call our Jira Server REST API via Javascript. I add the following filter for CORS in the web.xml:

 

<filter> 
<filter-name>CORS</filter-name> 
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> 
<init-param> 
<param-name>cors.supportedHeaders</param-name>
<param-value>Accept, Authorization, Origin, Content-Type, X-Requested-With</param-value>
</init-param> 
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, POST, HEAD, OPTIONS, PUT, DELETE</param-value>
</init-param> 

</filter>

<filter-mapping>
<filter-name>CORS</filter-name> 
<url-pattern>/rest/*</url-pattern> 
</filter-mapping>

 

But now I get a 403 - XSRF check failed Error. Has anyone an idea what I am missing? My request looks like the following:

 

var issueUrl = "https://jira.server.com/rest/api/2/issue/";

var client = new XMLHttpRequest();
client.open("POST", issueUrl);

client.setRequestHeader("Content-Type", "application/json");
client.setRequestHeader("Authorization", "Basic " + btoa(username + ":" + password));

client.onload = function () {

};
var jsonData = JSON.stringify(data);
client.send(jsonData);

I found an answer to set the Request Header "X-Atlassian-Token" to "no-check". But I think, this is not for request via browsers. 

 

My Jira version is 8.5. Thank you for help!

Answer
Watch
Like Be the first to like this
4766 views

2 answers

1 vote
Lukas Meili
Lukas Meili August 17, 2021

Hi, I know this is a very old issue but I just stumbled upon this problem as well and I thought I might be able to help people with the same issue. In our case, there were two possible solutions. 

- Change User Agents Header (Not possible as far as I know in Chrome)

- Whitelist/Allowlist the origin domain in Jira. When you send a request to the Jira API your browser automatically populates the "origin" header. You need to add that value to the whitelist/allowlist in Jira. -> See here Configuring the allowlist | Jira | Atlassian Documentation
Type "Domain" should work.

 

See the issue documented by Atlassian:

REST API calls with a browser User-Agent header may fail CSRF checks | Jira | Atlassian Documentation

View More Comments
Volodymyr Krupach
Volodymyr Krupach
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 11, 2024

Thank yo!
Was getting this for "rest/api/2/issue/search" POST in a REST client browser addon. Setting "User-Agent" header to any random value resolves this.

Like
Reply
0 votes
Mathis Hellensberg
Mathis Hellensberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 16, 2020

I made this guide for myself. Might help you aswell :) Remember to restart your Jira instance afterwards.

  1. Download cors-filter-2.6.jar and java-property-utils-1.9.1.jar from http://software.dzhuvinov.com/cors-filter-installation.html and place them inside “C:\Program Files\Atlassian\Jira\lib”, or the matching path for your specific installation.
  2. Open up “web.xml” located under “C:\Program Files\Atlassian\Jira\atlassian-jira\WEB-INF“.
  3. Add the following filter and filter-mappings in the corresponding sections. This meaning placing the <filter> part with the other <filters> and the <filter-mapping> with the other <filter-mappings>.
<!-- ==================== CORS configuration ====================== -->

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.mycompany.cors.CORSFilter</filter-class>
    <init-param>
        <param-name>cors.allowOrigin</param-name>
        <param-value></param-value>  <!-- use http: or https: depending on your configuration -->
    </init-param>
    <init-param>
        <param-name>cors.supportedMethods</param-name>
        <param-value>GET, POST, HEAD, OPTIONS, PUT, DELETE</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
View More Comments
Sebastian Hermes
Sebastian Hermes June 16, 2020

Thanks for your answer. My cors.allowOrigin was missing, but i get the same error. I had already copied the jar files into the lib folder.

Like
Mathis Hellensberg
Mathis Hellensberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 16, 2020

Can you confirm you placed the <filter> part with the existing <filters> and the <filter-mapping> with the existing <filter-mappings> and not just together somewhere?

Also did you make sure to restart your Jira instance afterwards? :)

Like
Sebastian Hermes
Sebastian Hermes June 16, 2020 
<filter> 
    <filter-name>CORS</filter-name> 
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> 
    <init-param> 
        <param-name>cors.supportedHeaders</param-name>
        <param-value>Accept, Authorization, Origin, Content-Type, X-Requested-With</param-value>
    </init-param> 
    <init-param>
        <param-name>cors.supportedMethods</param-name>
        <param-value>GET, POST, HEAD, OPTIONS, PUT, DELETE</param-value>
    </init-param> 
    <init-param>
        <param-name>cors.allowOrigin</param-name>
        <param-value>*</param-value>
    </init-param> 
</filter>

<!-- =====================================================
THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN
===================================================== -->
<filter>
    <filter-name>JiraLastFilter</filter-name>
    <filter-class>com.atlassian.jira.web.filters.JiraLastFilter</filter-class>
</filter>

...

<!-- =====================================================
FILTER MAPPINGS FOLLOW :
===================================================== -->

<!-- Special filters that must come at the beginning of the chain because they prevent
all other filters from running. This is to prevent those later filters from doing
lookups in Pico, which could alter the order in which it instantiates components
and thereby trigger a deadlock. -->

<filter-mapping>
    <filter-name>CORS</filter-name> 
    <url-pattern>/rest/*</url-pattern> 
</filter-mapping>

This is my web.xml and I restarted the Jira Atlassian service.

Like
Mathis Hellensberg
Mathis Hellensberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 16, 2020

I see small differences, nothing major. I would like you to try and copy the exact thing I posted, just to see if it makes any difference. Also try putting just "/*" instead of "/rest/*".

You can change it back afterwards :)

Like
Sebastian Hermes
Sebastian Hermes June 16, 2020

I copied your code in my XML. But I have to take the filter-class "thetransactioncompany", otherwise Jira wont't start. But I get the same error.

I also tried the filter from Tomcat itself. But this filter doesn't work, either. A little bit frustrating :D

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events