We’re introducing a new set of annotations for Webwork actions, servlets, REST endpoints, and filters to improve endpoint security by giving you better control over access to endpoints. These annotations have been revised to ensure that only the intended users access your application endpoints.
Starting from Jira 10.0, when no annotation is specified, only licensed users will be able to access resources. To change this, annotate all endpoints that require lower security clearance level. You can also annotate all admin and system admin endpoints to provide tighter security measures.
If you’re experiencing issues with accessing an endpoint, you can check if this is related to the improved endpoint security by enabling debug logs and repeating the request. Here are the loggers that you need to configure:
For REST endpoints, set com.atlassian.plugins.rest.v2.security.authentication.AuthenticatedResourceFilter to TRACE and search logs for AuthenticatedResourceFilter.
For all other endpoints, set all of the following:
to DEBUG and search logs for [SECURITY ANNOTATION CHECK].
There are two scenarios when this can happen:
An endpoint that should be accessible to logged-in users only was too permissive in Jira 9 and allowed anonymous traffic. By lifting the default security clearance level to logged-in users, we blocked anonymous access to such endpoints. If your integration had used such an endpoint without proper authentication, you'll need to update it.
An endpoint that should be accessible to anonymous users has been overlooked during the update (by Atlassian or an app vendor) and now blocks anonymous access. In this case, either Jira itself or the app needs to be fixedcontact Atlassian Support or the Marketplace app developer, depending on the endpoint type. If the app is developed in-house by your organisation, you can refer to our guide that will help you prepare your Data Center app to comply with secure endpoint defaults.
Unfortunately, for security reasons, there is no way to change the security clearance level without recompiling code, so fixing requires a new Jira or app version and can't be adjusted by a property.
- Owner
comment_12464We’re introducing a new set of annotations for Webwork actions, servlets, REST endpoints, and filters to improve endpoint security by giving you better control over access to endpoints. These annotations have been revised to ensure that only the intended users access your application endpoints.
Starting from Jira 10.0, when no annotation is specified, only licensed users will be able to access resources. To change this, annotate all endpoints that require lower security clearance level. You can also annotate all admin and system admin endpoints to provide tighter security measures.
If you’re experiencing issues with accessing an endpoint, you can check if this is related to the improved endpoint security by enabling debug logs and repeating the request. Here are the loggers that you need to configure:
For REST endpoints, set
com.atlassian.plugins.rest.v2.security.authentication.AuthenticatedResourceFiltertoTRACEand search logs for AuthenticatedResourceFilter.For all other endpoints, set all of the following:
com.atlassian.jira.web.filters.annotations.ServletSecurityAnnotationsFiltercom.atlassian.jira.web.filters.annotations.JspCheckercom.atlassian.jira.web.dispatcher.JiraWebworkActionDispatchercom.atlassian.jira.plugin.servlet.ServletModuleContainerServletcom.atlassian.jira.web.filters.security.AccessCheckFilterto DEBUG and search logs for [SECURITY ANNOTATION CHECK].
There are two scenarios when this can happen:
An endpoint that should be accessible to logged-in users only was too permissive in Jira 9 and allowed anonymous traffic. By lifting the default security clearance level to logged-in users, we blocked anonymous access to such endpoints. If your integration had used such an endpoint without proper authentication, you'll need to update it.
An endpoint that should be accessible to anonymous users has been overlooked during the update (by Atlassian or an app vendor) and now blocks anonymous access. In this case, either Jira itself or the app needs to be fixedcontact Atlassian Support or the Marketplace app developer, depending on the endpoint type. If the app is developed in-house by your organisation, you can refer to our guide that will help you prepare your Data Center app to comply with secure endpoint defaults.
Unfortunately, for security reasons, there is no way to change the security clearance level without recompiling code, so fixing requires a new Jira or app version and can't be adjusted by a property.
View full product update
Link to comment
https://beta.jimiwikman.se/forums/topic/12123-new-default-endpoint-security-annotations/Share on other sites