Last updated Apr 11, 2024

Prepare your Data Center app to comply with secure endpoint defaults

We've made access changes to improve default endpoint security. It's important to understand these changes and plan your annotations accordingly to ensure your endpoints remain secure and accessible to the intended users.

The following list provides updated access criteria annotations, including their behavior and impact on access to resources:

  • AdminOnly permits resource access only to users with assigned admin privileges.

  • AnonymousSiteAccess permits resource access if at least one of the following criteria is met where a current user is:

    • Unauthenticated and anonymous access is enabled for site.
    • Authenticated and limited unlicensed access is enabled for site.
    • Authenticated and assigned a product license.
  • LicensedOnly permits resource access only to users assigned a product license.

  • SystemAdminOnly permits resource access only to users assigned system admin privileges.

  • UnlicensedSiteAccess permits resource access if either of the following criteria is met where a current user is:

    • Authenticated and limited unlicensed access is enabled for site.
    • Authenticated and assigned a product license.
  • UnrestrictedAccess permits complete unrestricted access. It will allow unauthenticated access irrespective of whether the site has enabled anonymous access.

Overview of changes

Previously, REST resources without access criteria annotations would accept requests from any authenticated user by default. The following changes apply starting from Jira Software 10.0, Jira Service Management 6.0, Confluence 9.0, Bitbucket 9.0, Bamboo 10.0, and Crowd 6.0. From these versions, only licensed users will have access to such resources, mirroring the behavior of the @LicensedOnly annotation. To grant access to unlicensed users, you can use the @UnlicensedSiteAccess annotation.

Additionally, resources annotated with @AnonymousAllowed will experience a change. This annotation will no longer allow open access. In RESTv2, this annotation becomes unrecognised and behaves as if it were unannotated, as described earlier. To permit unauthenticated access, you'll need to use the @AnonymousSiteAccess annotation. For resources intended to be fully open access, use the @UnrestrictedAccess annotation instead.

This update also extends to Servlet and Servlet Filter endpoints, defined by using the servlet and servlet-filter module descriptor. Previously, these endpoints would accept requests without enforcing any authentication. However, from Jira Software 10.0, Jira Service Management 6.0, Confluence 9.0, Bitbucket 9.0, Bamboo 10.0, and Crowd 6.0, only licensed users can access these endpoints by default. This behaviour is identical to the current @LicensedOnly annotation. To permit access for unlicensed users, you need to use the @UnlicensedSiteAccess annotation. The @AnonymousSiteAccess, @UnrestrictedAccess, @AdminOnly and @SystemAdminOnly annotations also can apply.

An important update has been made for security annotations. In the past, they were defined within the REST project under the package com.atlassian.plugins.rest.common.security. Now, these annotations have been moved to com.atlassian.annotations.security for use in non-REST contexts. For REST resources, both sets of annotations will be accepted for the duration of Platform 7. However, for non-REST endpoints, the annotations in com.atlassian.annotations.security must be used.

Example

For an endpoint declared using:

1
2
<servlet key="exampleServlet" class="com.atlassian.plugins.servlet.scope.ExampleServlet">
    <url-pattern>/example</url-pattern>
</servlet>

With the class ExampleServlet:

1
2
public class ExampleServlet extends HttpServlet {
    @Override
    protected void doGet(final HttpServletRequest req, final HttpServletResponse resp) throws IOException {
        ...
    }
}

If no method, class or package level security annotation is found, it will be defaulted to enforce @LicensedOnly access. If this is not desired security annotations must be added either on the package, class or method level. Example:

1
2
@AnonymousSiteAccess
public class ExampleServlet extends HttpServlet {
    @Override
    protected void doGet(final HttpServletRequest req, final HttpServletResponse resp) throws IOException {
        ...
    }
    
    @Override
    @SystemAdminOnly
    protected void doPost(final HttpServletRequest req, final HttpServletResponse resp) throws IOException {
        ...
    }
}

For classes that are defined by third party libraries they would need to be extended to allow for such decoration.

Rate this page: