You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
JIRA'a API allows for basic auth. Right now I am in the middle of rolling out a new JIRA install onto Azure, and that is making the security team uneasy. For one thing, it allows anyone to bypass MFA. We have a plugin that enables MFA when you log into JIRA through a browser, but if you say curl against the server with a username and password it bypasses MFA.
So far the best workaround I have come up with is putting an Apache Proxy in front of JIRA, and in that Proxy I am using this rule:
RequestHeader unset Authorization
And that works, in a roundabout way. API requests are still passing through to JIRA, they just come through as anonymous, so as long as people follow good practices with their permission schemes people shouldn't be able to get or change any data through basic auth API calls.
But something about that method just feels like a hackish workaround. I feel like there has to be a more elegeant way to accomplish this goal. Now I am a JIRA SME, not really an Apache SME. I have used Apache in the past when I was a web developer, but it's never been my primary job focus and I wouldn't consider myself an expert. And as for the Azure end of things, we have an infrastructure person that's handling that. She's investigating anything on the Azure end (Azure API Management, for example) that might work.
But in the meantime I thought I would reach out to the community and see if anyone had any ideas. We can't be the first team that's had this concern, so I am hoping someone else has already solved this issue for me.