How to disabled jira rest api when access anonymously

Fahrur Razi March 27, 2016

My JIRA Version 6.4.4 local installed. I want to disabled rest api if request not had basic auth or oauth token ? How can i configure this ?

3 answers

2 votes
crf
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 27, 2016

The only REST resources that will permit access are those that are meant for anonymous access as well or that perform their own security checks.  These have to be explicitly marked with @AnonymousAllowed or they will automatically reject any anonymous request.

The ability for anonymous users to reach those REST APIs that explicitly mark themselves in this way is very important.  Some REST APIs are accessible to anonymous users if and only if you have enabled a permission scheme that permits this (for example, projects that can be browsed anonymously) or because logging in can itself be a request to the REST API, specifically this one, and disallowing that would make things like JIRA Mobile unusable.

If you want to make sure your projects are not visible to anonymous users by default, then you should check that your permission schemes are correct.  Blocking REST API access is the wrong way to tackle that problem.

Fahrur Razi March 27, 2016

I'm had project to create third party application that access JIRA api. Actually i want application have token(or basic auth) that can access all Rest API. But disabled all anonymous access to API. 

If you think set schema permission. I will check this approach. But i prefer a configuration to block all rest if anonymous try access api.

crf
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 27, 2016

But if you block all anonymous REST API access, it will probably break JIRA.  The REST API is designed to take care of authentication itself.  Besides, your third-party application will need to use an anonymous REST endpoint to get an authentication token in the first place.

Fahrur Razi March 28, 2016

I'm just realize that api with GET that allow anonymous call. POST are must use auth token. Thanks for your time.

0 votes
Erik Flamm March 22, 2017

We just failed a security scan because anonymous requests to the REST API allow a malicious user to enumerate valid JIRA 7.3.2 accounts, for example:

/jira/rest/api/1.0/users/picker?showAvatar=true&query=john

Is there a way to disable this by requiring authentication?

0 votes
Aleks Yenin (Polontech)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 27, 2016

As far as I know, non-authorized user DO NOT have access to most of rest api by default - it should dive You error 401. Try to log out from your local instance and do some rest

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events