I have a task to create a Jira (Server) project report and then create an address which will allow for anonymous access to this report.
So far I have done some research an I got few ideas which are based on using the os_username=testUsername and os_password=the_password attributes attached to the URL.
The problem with this solution is the security. My Jira is working over https and sharing a plain text access to a user is a no go.
I already have spoken with our Unix admins and they proposed to create an address (jira.com/reportA) link which will direct traffic to Apache server which will then translate it into a proper Jira report address (jira.com/secure/report?os_username=user&os_password=password)
But this poses another security threat - if someone opens the link, such person will be logged in and have all the freedom to navigate in Jira. This is another no go.
So I'm now thinking about couple possible solutions:
- Find a way to somehow tell Jira, not to keep the session when users are using the report link
- Create a separate address for accessing any report which will have sessionTimeout (https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO) parameter set to zero seconds. I assume this will drop the session right away and a user will have to click on the link to view the report again.
- Digging into Apache configuration and limiting access to a specific page when user is accessing Jira via the report link.
What do you guys think?
I will appreciate you thoughts!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.