How can I make a plugin servlet allow non-authenticated users?

I am writing a stash plugin and I would like to show a servlet which non-authenticated users can see (it might, for example, just show status of pull requests or something). I don't want to have to create a service account just for this. According to the user is redirected to a login page if not logged in before my code is reached. Is there an annotation or change to my atlassian-plugin.xml that can change this?

EDIT: clarification

No, I don't have any permission check done

anywhere, it is "built in". In the link I posted, atlassian writes:

Our web application first checks whether the user is logged in. If not, it redirects the user to the login page. We use the SAL User Manager feature to make sure that the current user is an administrator, so we need to add this dependency to our project file.

My code looks like this


<servlet key="buildSuccessReporting" name="Build Success Reporting Servlet" class="com.palantir.stash.stashbothelper.admin.BuildSuccessReportingServlet">

public class BuildSuccessReportingServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {

        // SNIP - leaving out irrelevant logic here

        Writer w = res.getWriter();
        w.append("output here");

This works when logged in, but issues a 302 to /login when I am not authenticated. I want to change that.



2 answers

0 votes

You must have the permission check done somewhere. Maybe you can share your code?

No, see my clarification above, I have no authentication handling code at all.

Good news. Finally, after long last, I figured out what my problem was.

First off, if you use certain APIs (like RepositoryService.getRepoById()) you will get com.atlassian.stash.exception.AuthorisationException: You are not permitted to access this resource caused by Access is denied

This is what was "checking auth". None of my code was, so it seemed like I wasn't checking auth, but the APIs do.

If you want to get around this, one choice is to embed credentials and post to a rest API to run calls like this. This is a mess, but it was what we were doing for a long-ass time.

FINALLY, I found a much better way.

class StupidOperation implements Operation<Void, Exception> {
    Void perform() throws Exception {
        // do something...
// Later in your code:
SecurityService.doWithPermission("Some Auditing String", Permission.REPO_READ, new StupidOperation());

/* An example of this can be found in stashbot on github roughly here (when I push it, in the next day or two from making this post):


Suggest an answer

Log in or Sign up to answer
Community showcase
Posted yesterday in United States

From Atlassian: Confluence Security Advisory - 2019-03-20

Atlassian released a security advisory on 3/20/2019.  The full advisory is here: In a nutshe...

22 views 0 1
View post

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you