Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Cross Origin Resource Sharing with JIRA REST API and Javascript

Michael Beasley
Michael Beasley
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 12, 2012

I'm trying to create a web-based issue submission form outside of the JIRA UI (on another local server). I'm attempting to connect to the REST API use javascript and common AJAX methods. When I simply put the API url in a browser address bar, I get the expected JSON returned.

But when I attempt to access the same URL via AJAX, I get 

XMLHttpRequest cannot load http://mylocalurl:8008/rest/api/2/priority. Origin http://mylocalurl is not allowed by Access-Control-Allow-Origin.

I believe this to be a cross origin resouce sharing issue with the JIRA servet, but I'm not sure how to rectify it in TomCat. Here's some more info on CORS if it helps: http://enable-cors.org/

Any help would be greatly appreciated. Thanks in advance!

Answer
Watch
Like # people like this
40252 views

7 answers

1 accepted

7 votes
Answer accepted
Michael Beasley
Michael Beasley
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 31, 2012

So I eventually found a solution. Kind of a pain though.

  1. First, you have to download, install and configure this CORS filter for the Tomcat server: http://software.dzhuvinov.com/cors-filter.htm
  2. You'll have to add some XML to your server config to permit access to various paths associated with the REST API: 
    <filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/rest/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/plugins/*</url-pattern>
</filter-mapping>

    You could, instead, just put * and allow access to the entire server, on all paths.

  3. I had to configure the JIRA CORS filter to permit Authorization type headers. This was to address a "bug" in Chrome (I would say it's less of a bug and more of a web standard that Chrome follows that no one else does...). 
    <init-param>
    <param-name>cors.supportedHeaders</param-name>
    <param-value>Origin, Accept, Authorization, Content-Type, X-Requested-With</param-value>
</init-param>
  4. Lastly, just make sure that the CORS filter is configured to allow the various http methods that you intend to use. I think OPTIONS is a method that is used in some browsers to authorize the request and you should have it enabled.

I'm a little frustrated with the fact that JIRA has a REST API for remote access to the server, but doesn't permit CORS. I think that that should be incorporated.

Anyhow, good luck.

View More Comments
Rahul Aich [Nagra]
Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 21, 2014

@Michael: Is this solution applicable to JIRA standalone installations?

Rahul

Like
Laszlo Kremer
Laszlo Kremer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 4, 2014

If you found a solution to a problem, please provide well-written resolution. If you write "add some XML" then please tell us which files should be affected, and knowing that the web.xml has a lot of warnings that you shouldn't change several parts of it, please tell us the exact locaton of the file where you put the filters. Some of us is only asked to enable CORS, but never messed with the web.xml.

Like Upasna_Bassi likes this
Laszlo Kremer
Laszlo Kremer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 5, 2014

How to do it: * download the cors-filter-2.1.2.jar and java-property-utils-1.9.1.jar from http://software.dzhuvinov.com/cors-filter-installation.html * copy them under JIRA\atlassian-jira\WEB-INF\lib\ on your JIRA server * open JIRA\atlassian-jira\WEB-INF\web.xml and add these lines *after </description> but before <!-- Filters -->* <filter> <filter-name>CORS</filter-name> <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> <init-param> <param-name>cors.supportedHeaders</param-name> <param-value>Accept, Authorization, Origin, Content-Type, X-Requested-With</param-value> </init-param> </filter> <filter-mapping> <filter-name>CORS</filter-name> <url-pattern>/rest/*</url-pattern> </filter-mapping> * Restart your JIRA server This *will* work, and can be a good starting point if you only need to enable on a JIRA server. It will not work between applications which do have application link between them eg.: JIRA and Confluence can have Application link between them, but if they have, you will not be able to run CORS request from Confluence to JIRA via a html macro as JIRA will respond twice as discussed here: https://answers.atlassian.com/questions/222396?src=search

Like Serhan Ekinci likes this
Yagnesh Bhat
Yagnesh Bhat April 4, 2016

@Laszlo Kremer, your above comment really helped , but i get this error when I try to make more ajax calls from HipChat dialog: XMLHttpRequest cannot load https://<my JIRA server>/rest/get-jira-user-from-email/1.0/getJiraUserFromEmailId?useremail=jirauser%40company.com. The 'Access-Control-Allow-Origin' header contains multiple values 'https://<my JIRA server>:3000, https://<my JIRA server>:3000', but only one is allowed. Origin 'https://<my JIRA server>:3000' is therefore not allowed access.

Like # people like this
Simon Tost _TNG_
Simon Tost _TNG_
Contributor
July 21, 2017

@Michael Beasley: Your frustration can be tracked here: https://jira.atlassian.com/browse/JRASERVER-59101

Like
Reply
7 votes
justin.reherman
justin.reherman
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 12, 2013

I use Apache, running on the same host, as a proxy.

(for port 80 and 443 functionality. See: Integrating JIRA with Apache)

This effectivly breaks the advice given above. Until Atlassian enables support for CORS, I had to make a change to Apache instead of JIRA.

First: enable the headers module.

a2enmod headers

Then, in the vhost configuration:

Header set Access-Control-Allow-Origin "*"

Then restart/reload Apache for the changes to take effect.

You can replace"*" with whatever origin you would like to allow.

Note that in my situation I didn't have to make any change to the JIRA installation because the Apache Proxy lives on the same host as JIRA

View More Comments
Christian
Christian
Contributor
May 4, 2014

Hey Justin,

thank you for this advice it was very helpful. I just had to add the Access-Control-Allow-Headers to connect JIRA (6.2.3) with Confluence (5.5).

Header set Access-Control-Allow-Origin "https://jira.example.com"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"

Like
Piyush_Annadate
Piyush_Annadate
Contributor
November 28, 2016

which one should I really go for: Apache method by Justin or Laszlo?

 

note: my JIRA is server and Tomcat is present

Like
Piyush_Annadate
Piyush_Annadate
Contributor
November 28, 2016

Also - new to this: how to "I had to make a change to Apache instead of JIRA."?

Like
Reply
5 votes
Thomas Maldoner
Thomas Maldoner
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 24, 2017

Hi there.

First of all, thanks for the hints to CORS Filter - i guess i wouldnt have solved it on my own.

Anyway it took me some time to get it to work also with CORS filter so id like to summmarize what was needed to me:

  • Install CORS Filter like described above in /WEB-INF/lib (downloaded from https://mvnrepository.com/artifact/com.thetransactioncompany/cors-filter/2.5)
  • Configured web.xml - see below
  • Added Origin to JIRA Whitelist
  • Now i had some duplicated Headers in HTTP Response
  • I removed those on Apache Virtualhost which i use with ProxyPass for Tomcat
  • Set XMLHttpRequest.withCredentials to "true" on my client

    Apache Virtualhost:
SetEnvIf Origin "http(s)?://(www\.)?(.+)$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials "true"


Read "Header set" as "Remove duplicated Headers and add it a single time". Why i dont use "*" instead of dynamic Origin here? Its not allowed to combine "*" with XMLHttpRequest.withCredentials.

I think it could be left like this because if you remove Origin from JIRA Whitelist you end up with an 403 response.

web.xml Config:

<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.supportedHeaders</param-name>
<param-value>Accept, Authorization, Origin, Content-Type, X-Requested-With, Cookie</param-value>
</init-param>
<init-param>
<param-name>cors.supportedMethods</param-name>
<param-value>GET, POST, OPTIONS, PUT, HEAD</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>

You dont need cors.allowedOrigins here because it will be set from JIRAs Whitelist.

In the end it took me about 12 hours including research to get JIRA REST Api to work with my Angular frontend. All of what i found out and what dozens of other developers researched before me could be built in or at very least be documented by Atlassian team especially because JIRA is packaged with Tomcat if you order a standalone version.

Its not only me trying to get this to work - over the last 3 days i found more than 30 reports on official atlassian community, asking for help.

This is kind of underwhelming.

Cheers Ben

View More Comments
pageflourin
pageflourin July 12, 2017

Hi,

may i ask assistance on how i can modifiy these file when i only have CLI?

Like
Reply
1 vote
Trevor Reed
Trevor Reed October 18, 2016

This might be helpful, but I'm still having problems with preflight CORS requests.

https://confluence.atlassian.com/adminjiraserver071/configuring-the-whitelist-802593145.html

Reply
1 vote
Andriy Zhdanov
Andriy Zhdanov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 6, 2012

I've asked for CORS support in JIRA: JRA-30371

View More Comments
Simon Tost _TNG_
Simon Tost _TNG_
Contributor
July 21, 2017

Which was answered with: already present.
The suggestion was then cloned into JRASERVER-65362.

In parallel there is a Bug JRASERVER-59101

Like
Reply
0 votes
Jonathan Yahoo
Jonathan Yahoo July 31, 2012

thanks Michael, I realise now just how far short I was of getting this to work.

I'm going to look into moving my app into Jira as a plugin so as to avoid the CORS dependency.

much obliged,

Jonathan

Reply
0 votes
Jonathan Yahoo
Jonathan Yahoo July 31, 2012

I have the same issue. I'm using ExtJS to consume the JSON, I think I've done everything at the javascript end to permit CORS but still no joy, so I suspect I need to get JIRA to issue a header along the lines of:

Access-Control-Allow-Origin: *

How do I get the JIRA web container to do this ?

anyone?


Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.