My JIRA Version 6.4.4 local installed. I want to disabled rest api if request not had basic auth or oauth token ? How can i configure this ?
The only REST resources that will permit access are those that are meant for anonymous access as well or that perform their own security checks. These have to be explicitly marked with @AnonymousAllowed
or they will automatically reject any anonymous request.
The ability for anonymous users to reach those REST APIs that explicitly mark themselves in this way is very important. Some REST APIs are accessible to anonymous users if and only if you have enabled a permission scheme that permits this (for example, projects that can be browsed anonymously) or because logging in can itself be a request to the REST API, specifically this one, and disallowing that would make things like JIRA Mobile unusable.
If you want to make sure your projects are not visible to anonymous users by default, then you should check that your permission schemes are correct. Blocking REST API access is the wrong way to tackle that problem.
I'm had project to create third party application that access JIRA api. Actually i want application have token(or basic auth) that can access all Rest API. But disabled all anonymous access to API.
If you think set schema permission. I will check this approach. But i prefer a configuration to block all rest if anonymous try access api.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
But if you block all anonymous REST API access, it will probably break JIRA. The REST API is designed to take care of authentication itself. Besides, your third-party application will need to use an anonymous REST endpoint to get an authentication token in the first place.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm just realize that api with GET that allow anonymous call. POST are must use auth token. Thanks for your time.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We just failed a security scan because anonymous requests to the REST API allow a malicious user to enumerate valid JIRA 7.3.2 accounts, for example:
/jira/rest/api/1.0/users/picker?showAvatar=true&query=john
Is there a way to disable this by requiring authentication?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As far as I know, non-authorized user DO NOT have access to most of rest api by default - it should dive You error 401. Try to log out from your local instance and do some rest
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.