Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Velocity Method Allowlist Issue After Jira 10.5.x Upgrade – Need Generic Solution for Plugins Using

sainath
sainath August 19, 2025

Hi Atlassian Community,

We recently upgraded our Jira Data Center instance from version 10.4. x to 10.5.x, and we are now facing issues with rendering velocity templates in our custom plugin (ARNR Plugin) using com.atlassian.templaterenderer.TemplateRenderer.

Previously, everything worked fine. But after the upgrade, we are encountering method invocation blocked warnings like below:

Invocation blocked as method is not allowlisted: com.amoeboids.apps.arn.service.common.StaticResourceProviderImpl#getResourcePath(java.lang.String)
Invocation blocked as method is not allowlisted: com.amoeboids.apps.arn.service.common.I18nImpl#getText(java.lang.String)

These are coming from Velocity templates that we use for UI and email content rendering. We have over 40 velocity templates referencing numerous Java methods across various classes. While we understand the introduction of stricter security and the use of <velocity-allowlist> in atlassian-plugin.xml Managing and manually whitelisting each method is not scalable for a large plugin like ours.

We applied a workaround using:

 <velocity-allowlist key="arnr-velocity-allowlist" name="ARNR Velocity Allowlist" state="enabled"> 
    <method>com.amoeboids.apps.arn.service.common.StaticResourceProviderImpl#getResourcePath(java.lang.String)</method> 
    <method>com.amoeboids.apps.arn.service.common.I18nImpl#getText(java.lang.String)</method>
</velocity-allowlist>

But this means we now have to track and explicitly list each method used in all templates, which is error-prone and adds significant overhead.

Ask:

Is there a generic or recommended approach for plugin developers to:

  • Allowlist all methods of a specific class?

  • Allowlist all velocity method invocations from within the plugin?

  • Bypass the restriction for trusted internal plugins?

Or is there any Atlassian-supported alternative to simplify the allowlist configuration for large-scale usage of Velocity templates?

Answer
Watch
Like Sujeet Pathak likes this
191 views

1 answer

0 votes
Benjamin
Benjamin
Community Champion
August 26, 2025

HI @sainath ,

 

Looking through the Atlassian docs, didn't see any type of alternatives. This was announce back in 10.0.x that this would be coming and happen to be in 10.5.x. Base on the release notes, Atlassian just set the debug to false by default. Just need to set it to true and the allow list enforcement will be disable -https://confluence.atlassian.com/jirasoftware/jira-software-10-5-x-release-notes-1527939755.html 

Although, you will still get errors but you will be able to proceed and scale as needed. Continue to keep in mind the security. 


-Ben

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
10.6.1
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security