How to disabled jira rest api when access anonymously

My JIRA Version 6.4.4 local installed. I want to disabled rest api if request not had basic auth or oauth token ? How can i configure this ?

3 answers

2 votes
Chris Fuller Atlassian Team Mar 27, 2016

The only REST resources that will permit access are those that are meant for anonymous access as well or that perform their own security checks.  These have to be explicitly marked with @AnonymousAllowed or they will automatically reject any anonymous request.

The ability for anonymous users to reach those REST APIs that explicitly mark themselves in this way is very important.  Some REST APIs are accessible to anonymous users if and only if you have enabled a permission scheme that permits this (for example, projects that can be browsed anonymously) or because logging in can itself be a request to the REST API, specifically this one, and disallowing that would make things like JIRA Mobile unusable.

If you want to make sure your projects are not visible to anonymous users by default, then you should check that your permission schemes are correct.  Blocking REST API access is the wrong way to tackle that problem.

I'm had project to create third party application that access JIRA api. Actually i want application have token(or basic auth) that can access all Rest API. But disabled all anonymous access to API. 

If you think set schema permission. I will check this approach. But i prefer a configuration to block all rest if anonymous try access api.

Chris Fuller Atlassian Team Mar 27, 2016

But if you block all anonymous REST API access, it will probably break JIRA.  The REST API is designed to take care of authentication itself.  Besides, your third-party application will need to use an anonymous REST endpoint to get an authentication token in the first place.

I'm just realize that api with GET that allow anonymous call. POST are must use auth token. Thanks for your time.

As far as I know, non-authorized user DO NOT have access to most of rest api by default - it should dive You error 401. Try to log out from your local instance and do some rest

We just failed a security scan because anonymous requests to the REST API allow a malicious user to enumerate valid JIRA 7.3.2 accounts, for example:

/jira/rest/api/1.0/users/picker?showAvatar=true&query=john

Is there a way to disable this by requiring authentication?

Suggest an answer

Log in or Sign up to answer
Community showcase
Asked Thursday in Jira Ops

I'm John Allspaw, Ask Me Anything about incident analysis and postmortems

I'm John Allspaw, co-founder of   Adaptive Capacity Labs, where we help teams use their incidents to learn and improve. We bring research-driven methods and approaches to drive effective inciden...

473 views 2 5
View question

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you