Hello Community,
Its been a while since I've posted but I need your help.
I have a custom plugin that includes a custom field type that gets data from a rest api and displays is on the field. The plugin has been working for years until upgrading to JIRA 8.13.0. During the upgrade test, the rest api call works when the field is displayed on the view screen but when I update the issue status in the view screen, I get an XSRF Security Token Missing error. The error consistently occurs in multiple browsers.
Error message displayed on the screen:
Jira could not complete this action due to a missing form token.You may have cleared your browser cookies, which could have resulted in the expiry of your current form token. A new form token has been reissued.Request URL: /secure/WorkflowUIDispatcher.jspaThe original input has been captured and you can retry the operation.
Error in log:
http-nio-8080-exec-37 url:/secure/WorkflowUIDispatcher.jspa username:myusername url:/secure/XsrfErrorAction.jspa username:myusername INFO myusername 999x36108x1 1bwk9qq 141.131.79.17 /secure/WorkflowUIDispatcher.jspa [c.a.j.web.action.XsrfErrorAction] The security token is missing for 'myusername'. User-Agent : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36'
Here is my code.
On the velocity template, I call a method from a custom class called velocityUtil that I inject into the velocity context.
$velocityUtil.getRESTOptions($issue,$customField)
getRESTOptions then does some prep work and calls another class that executes the rest api call, processes the data and returns the object I want.
HashMap<String, String> restData = util.callRAPI(issue, field);
This is the RAPI Call code, using the org.glassfish.jersey.core.jersey-client dependency
HttpServletRequest request = ExecutingHttpRequest.get();
Client client = Client.create();
WebResource webResource = client.resource(restURL); --> ******* The RAPI end point is hosted in the same JIRA instance.
// Authenticate using the user sessionString jsessionid = CookieUtils.getCookieValue("JSESSIONID", request);
String cookieAuth = "JSESSIONID=" + jsessionid;
// Execute callClientResponse response = webResource.header("Cookie", cookieAuth).accept(MediaType.APPLICATION_JSON).get(ClientResponse.class);
If I comment out the ClientReponse code line, the XSRF errors disappear, but then the fields don't work. Could it be that the rest api call is changing the token on the server, which then invalidates the token in the view screen?
I have tried multiple things to resolve the error but non have worked. Here is what I have tried:
1. Adding the setHeader("X-Atlassian-Token", "no-check"). Yes, I tried "nocheck" and "no-check"
2. Adding the setHeader("Origin", "http://somethinghere.com")
3. Using a different HTTP client class
4. Appending the atl_token from the velocity template as part of the REST API URL
At this point, I am not sure how to proceed. Does anyone have a suggestion on how to fix this?
I hope all of that is clear. Let me know if you have any questions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.