Summary

Attempting to access administrative actions through the JSON-RPC API fails with an authentication error.

Environment

• Confluence 7.7 and newer
• Server or Data Center

Diagnosis

• Authentication details are correct
• An admin account is being used to authenticate the request
• The request body is correct
• You are testing an administrative request like rpc/json-rpc/confluenceservice-v2/addUserToGroup

• The response is:

  The application was unable to serve your request: com.atlassian.confluence.rpc.WebSudoRequiredException

Cause

A change in Confluence 7.7 added the requirement for websudo when running administrative requests through the JSON-RPC API.

Solution

Option 1 - Disable secure administrator sessions

To turn off secure administrator sessions:

1. Go to General Configuration > Security Configuration
2. Select Edit.
3. Under Secure administrator sessions, uncheck the Enable checkbox.
4. Save your changes.

This will skip the WebSudo check and allow you to run the JSON-RPC calls successfully.

Option 2 - Use Postman's Interceptor add-on to pass the session cookies from the browser to the request in Postman

Alternatively, if you want to keep the Secure Administrator Sessions enabled on your site, then you can install Postman's browser extension called Postman Interceptor and link it to your Postman app so that cookies from the browser can be synced to Postman. Instructions can be found in Postman's documentation below:

• Using Interceptor - Syncing cookies

The idea is that you must first pass the WebSudo login in the browser where Postman Interceptor is installed. When you make the JSON-RPC call via Postman, it'll pick up the cookies stored in the browser for that domain and authenticate you successfully.

Option 3 - Use REST or XML-RPC API instead of JSON-RPC

As described in the documentation, REST and XML-RPC are not affected by websudo. To use XML-RPC, enable it on General Configuration > Further Configuration > Remote API (XML-RPC & SOAP).