How can I make a plugin servlet allow non-authenticated users?

I am writing a stash plugin and I would like to show a servlet which non-authenticated users can see (it might, for example, just show status of pull requests or something). I don't want to have to create a service account just for this. According to https://developer.atlassian.com/display/DOCS/Creating+an+Admin+Configuration+Form the user is redirected to a login page if not logged in before my code is reached. Is there an annotation or change to my atlassian-plugin.xml that can change this?

EDIT: clarification

No, I don't have any permission check done

anywhere, it is "built in". In the link I posted, atlassian writes:

Our web application first checks whether the user is logged in. If not, it redirects the user to the login page. We use the SAL User Manager feature to make sure that the current user is an administrator, so we need to add this dependency to our project file.

My code looks like this

atlassian-plugin.xml

<servlet key="buildSuccessReporting" name="Build Success Reporting Servlet" class="com.palantir.stash.stashbothelper.admin.BuildSuccessReportingServlet">
        <url-pattern>/stashbot/build-reporting/*</url-pattern>
    </servlet>

BuildSuccessReportingServlet.java

public class BuildSuccessReportingServlet extends HttpServlet {
    @Override
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {

        // SNIP - leaving out irrelevant logic here

        res.reset();
        res.setStatus(200);
        res.setContentType("text/plain;charset=UTF-8");
        Writer w = res.getWriter();
        w.append("output here");
        w.close();
    }
}

This works when logged in, but issues a 302 to /login when I am not authenticated. I want to change that.

Thanks!

-Carl

2 answers

This widget could not be displayed.

You must have the permission check done somewhere. Maybe you can share your code?

No, see my clarification above, I have no authentication handling code at all.

This widget could not be displayed.

Good news. Finally, after long last, I figured out what my problem was.

First off, if you use certain APIs (like RepositoryService.getRepoById()) you will get com.atlassian.stash.exception.AuthorisationException: You are not permitted to access this resource caused by org.springframework.security.access.AccessDeniedException: Access is denied

This is what was "checking auth". None of my code was, so it seemed like I wasn't checking auth, but the APIs do.

If you want to get around this, one choice is to embed credentials and post to a rest API to run calls like this. This is a mess, but it was what we were doing for a long-ass time.

FINALLY, I found a much better way.

class StupidOperation implements Operation<Void, Exception> {
    Void perform() throws Exception {
        // do something...
    }
}
// Later in your code:
SecurityService.doWithPermission("Some Auditing String", Permission.REPO_READ, new StupidOperation());

/* An example of this can be found in stashbot on github roughly here (when I push it, in the next day or two from making this post):
https://github.com/palantir/stashbot/blob/master/src/main/java/com/palantir/stash/stashbot/admin/BuildSuccessReportingServlet.java
And

https://github.com/palantir/stashbot/blob/master/src/main/java/com/palantir/stash/stashbot/util/RepoIdFetcherOperation.java

*/

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted yesterday in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

69 views 0 1
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you