It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How can I make a plugin servlet allow non-authenticated users?

Carl Myers Jun 10, 2013

I am writing a stash plugin and I would like to show a servlet which non-authenticated users can see (it might, for example, just show status of pull requests or something). I don't want to have to create a service account just for this. According to https://developer.atlassian.com/display/DOCS/Creating+an+Admin+Configuration+Form the user is redirected to a login page if not logged in before my code is reached. Is there an annotation or change to my atlassian-plugin.xml that can change this?

EDIT: clarification

No, I don't have any permission check done

anywhere, it is "built in". In the link I posted, atlassian writes:

Our web application first checks whether the user is logged in. If not, it redirects the user to the login page. We use the SAL User Manager feature to make sure that the current user is an administrator, so we need to add this dependency to our project file.

My code looks like this

atlassian-plugin.xml

<servlet key="buildSuccessReporting" name="Build Success Reporting Servlet" class="com.palantir.stash.stashbothelper.admin.BuildSuccessReportingServlet">
        <url-pattern>/stashbot/build-reporting/*</url-pattern>
    </servlet>

BuildSuccessReportingServlet.java

public class BuildSuccessReportingServlet extends HttpServlet {
    @Override
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {

        // SNIP - leaving out irrelevant logic here

        res.reset();
        res.setStatus(200);
        res.setContentType("text/plain;charset=UTF-8");
        Writer w = res.getWriter();
        w.append("output here");
        w.close();
    }
}

This works when logged in, but issues a 302 to /login when I am not authenticated. I want to change that.

Thanks!

-Carl

2 answers

0 votes
Jobin Kuruvilla [Go2Group] Community Leader Jun 10, 2013

You must have the permission check done somewhere. Maybe you can share your code?

Carl Myers Jun 10, 2013

No, see my clarification above, I have no authentication handling code at all.

0 votes
Carl Myers Apr 24, 2014

Good news. Finally, after long last, I figured out what my problem was.

First off, if you use certain APIs (like RepositoryService.getRepoById()) you will get com.atlassian.stash.exception.AuthorisationException: You are not permitted to access this resource caused by org.springframework.security.access.AccessDeniedException: Access is denied

This is what was "checking auth". None of my code was, so it seemed like I wasn't checking auth, but the APIs do.

If you want to get around this, one choice is to embed credentials and post to a rest API to run calls like this. This is a mess, but it was what we were doing for a long-ass time.

FINALLY, I found a much better way.

class StupidOperation implements Operation<Void, Exception> {
    Void perform() throws Exception {
        // do something...
    }
}
// Later in your code:
SecurityService.doWithPermission("Some Auditing String", Permission.REPO_READ, new StupidOperation());

/* An example of this can be found in stashbot on github roughly here (when I push it, in the next day or two from making this post):
https://github.com/palantir/stashbot/blob/master/src/main/java/com/palantir/stash/stashbot/admin/BuildSuccessReportingServlet.java
And

https://github.com/palantir/stashbot/blob/master/src/main/java/com/palantir/stash/stashbot/util/RepoIdFetcherOperation.java

*/

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Posted in Off-topic

Disney Live Action Reboots: Are you for or against?

Happy Friday Everyone! Today marks the international release of Disney's live action version of the animated classic Aladdin. I know that this movie was met with some controversy of over cast...

167 views 21 9
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you