Allow authenticated access on Endpoints from scripts

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Allow authenticated users to access Jira endpoints from cli or scripts when restricted through <Jira_Installation>/atlassian-jira/WEB-INF/urlrewrite.xml

Example endpoints:-

/rest/menu/latest/admin

/rest/api/2/serverInfo

Environment

Jira version 9.0 to 9.5

Diagnosis

Add below parameters to <Jira_Installation>/atlassian-jira/WEB-INF/urlrewrite.xmlfile to restrict unauthenticated access on above endpoints.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <!-- block admin --> <rule> <from>(?s)^/rest/menu/.*/admin</from> <condition type="session-attribute" name="seraph_defaultauthenticator_user" operator="notequal">.+</condition> <set type="status">403</set> <to>null</to> </rule> <!-- block dashboard --> <rule> <from>(?s)^/rest/api/.*/serverInfo</from> <condition type="session-attribute" name="seraph_defaultauthenticator_user" operator="notequal">.+</condition> <set type="status">403</set> <to>null</to> </rule>

However blocking requests can also restrict authenticated access to these endpoints when accessed from cli/scripts. But same will work on UI for authenticated users.

1 2 3 4 ubuntu@jira curl -v -u <username> <jira-baseurl>rest/api/2/serverInfo Enter host password for user '<username>': Request fails with status code - 403

Solution

The code inserted to restrict these endpoints checks the condition for session-attribute. This can be passed explicitly as part of cookie JSESSIONID to allow authenticated users to access these endpoints.

  • Store the JSESSIONID cookie in cookie.txt file

1 curl -v -L -u <username> <jira-baseurl> -c cookie.txt

  • Make a call to to required endpoint embedding the cookie file as part of cli/scripts

1 curl -v -L  -b cookie.txt -u <username> <jira-baseurl>rest/api/2/serverInfo
Updated on April 8, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryEnvironmentDiagnosisSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community