Community
Q&A
Jira
Questions
How to secure our custom build Rest Endpoints in our custom build Jira Plugin?

How to secure our custom build Rest Endpoints in our custom build Jira Plugin?

Hi Team,

We have developed a custom build Jira plugin where we are making use of Atlassian Rest Plugin module to build custom rest endpoints to access our plugin and to access the data stored in active objects.

We want to secure our rest endpoints so that there would be no security impact on data. Can you please check and guide us on how to make our endpoints more secure and vulnerable free?

If possible, can you please attach any reference guides using which we can add more security to our rest endpoints?

1 answer

0 votes

I'm not sure what you are looking for here.

A REST endpoint in Jira is the same as any other endpoint - you make the call from your other system, and it'll talk back to you if you've given it the credentials needed.

If you want to make it "more secure", go ahead and code extra security into it. What are you thinking you need to do to make it more secure?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Yes, I need to make custom build End points more secure. Can you please guide me what are possible ways to do it?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

I'm afraid repeating what you said before does not help explain what you think you want to do here.

What do you think you want to do to make them "more secure"? Please explain that?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Below is the code snippet that I have written to fetch data stored in Active Objects using Rest Endpoint: JIRA_BASE_URL + "/debug/fetch/rules"

Currently I have added one validation to check if user hitting endpoint is System admin, If user is system admin only then data will be fetched.

Other than this is there any other possible ways which can add more security to the endpoint?

@GET
@Path("/debug/fetch/rules")
public String fetchAllRules() {

final JiraAuthenticationContext authenticationContext = ComponentAccessor.getJiraAuthenticationContext();
ApplicationUser currentUser = authenticationContext.getLoggedInUser();

boolean ifUserIsSystemAdmin = isUserSystemAdmin(currentUser);

if (ifUserIsSystemAdmin) {
ObjectMapper mapper = new ObjectMapper();
String data = null;
List<List<String>> rulesList = new ArrayList<>();
List<fieldRules> rules = rule.getRules();

for (fieldRules rule : rules) {
List<String> ruleData = new ArrayList<>();
ruleData.add("Rule Id : " + rule.getID());
ruleData.add("Title : " + rule.getTitle());
ruleData.add("projectId : " + rule.getPid());
rulesList.add(ruleData);
}
try {
data = mapper.writeValueAsString(rulesList);
}
catch (Exception e) {
log.error("Exception occurred while fetching rules: " + e.getMessage());
}
log.warn(rulesList.size() + " rules stored in field Rules table are fetched");
return data;
}
return "Not Authorized";
}

// To check if user is system admin or not
private boolean isUserSystemAdmin(final ApplicationUser currentUser) {
return globalPermissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, currentUser);
}

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

You need to explain what you mean by "more secure" - what do you want to do that would make this call "more secure"?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS

Community showcase