Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,559,515
Community Members
 
Community Events
184
Community Groups

Security Issues on WebHooks

Taryck BENSIALI
Taryck BENSIALI Feb 04, 2018

Hi,

I start sudying the opportunities of the webhook on Jira.

While this features is describe has a great change, I realize that there is no information on authentification. I mean a callback is made on an URL but nothing is done to provide credential to ensure the identity of the URL Caller.

 

After few search I found this issues : JRASERVER-31953 : Not being able to create webhooks with basic authentication

While it's open from 3 years now, no change.

 

Does anyone has a REAL and SECURE workaround ?

I expect each calback call provide a certificate to authentify the caller.

The only solution I've got is to :

  1. creating some proxy code on the tomcat on which runs JIRA
  2. Ensure this proxy only accept calls from it self (may be listening to IP 127.0.0.1)
  3. Map URL where he listen to remote URL and Add certificate to the call

It's quite ugly, but because Atlassion doesn't provide any suitable solution it required.

Does anyone has done this and could share the result ?

Does anyone has a better solution ?

 

Comment
Watch
Like George Mihailoff likes this
4051 views

3 comments

Thomas Deiler
Thomas Deiler
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Feb 05, 2018

Dear @Taryck BENSIALI,

I have not yet needed webhooks that much, but you are totally right. I would realize it the same way you described - proxy the calls to add security.

So long

Thomas

Like
Taryck BENSIALI
Taryck BENSIALI Feb 06, 2018

Thanks, I work for military companies, where security is really a fundamental matter.

I'm not sure they will accept such a solution because communication between JIRA and proxy could be fake by any code that run on tomcat.

Like pancudaniel7 likes this
Reply
Taryck BENSIALI
Taryck BENSIALI Feb 06, 2018

I wondering if it's possible to build an add-on / Plufg-in for Jira that recieve internal event that are processed by the webhook, and send them on a callback maner (like webhooks do) BUT with authentication :

  • Basic : user + pwd (not in URL)
  • Certificat X509 on HTTP header

Because after waiting for 3 years for Atlassian to add security to webhook, it's time to accept they will never do anything and do something to secure the webhooks...

Like
Thomas Deiler
Thomas Deiler
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Feb 06, 2018

Dear @Taryck BENSIALI, that's a matter of resources and which requirements are loved by the mass. To be honest, I think this fine mechanism of web hooks is only used by a few installations.

But back to your security problem. I understand your environment and its needs. If a man in the middle attack is possible you can do following:

Write on an isolated system your own service, that communicants with Jira over SSL secured REST API. Then this service can also fully implement another secure call to a web server or even something different like a direct DB access.

You have to care about a polling mechanism. The service has to ask Jira for changes, nothing is triggered automatically. If you can wait from the event to "some" action for a couple of seconds, then this should work for you.

If done with some lines of PHP/Python code, I would say this is done in 1-2 days. In high-level languages (Java/C++), this could take a little bit longer, but not at all a too big deal.

So long

Thomas

Like
Taryck BENSIALI
Taryck BENSIALI Feb 07, 2018

Well, I've developed on SAP connection to REST API. It's quite simple if we solve the "customfield" question. I haven't explored much web hook be I do not get suitable situation, until today.

However polling JIRA from time to time to be informed on change is not a great architecture solution. Using WebHooks is the solution if we could get something secured.

When on such situation you've got to make communicate 2 softwares you can't ask to IT department to add a new one just is juste... unaceptable.

I just expect web hook to works as it should be. I do not know enought of JIRA API to know if we can create an add-on that will intercept the change events and make a URL callback but with authentification (Basic and then X509 certicates)...

 

If you know which JIRA API could be used for that it will be a great information. :-)

Like Lisbeth Hedlund likes this
Thomas Deiler
Thomas Deiler
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Feb 07, 2018

Dear @Taryck BENSIALI,

you have to do first a search. The posted JQL should look like this:

project = XYZ AND status = <status, where you triggered the webhook> AND custom_field_ABC = "new"

The custom field is a flag for marking issues you already have processed. Set by the workflow to "new".

Then you just have to extract the issue information of your choice and send one (own) web hook to somewhere else. After the send you modify the issue, setting the custom field to something different or NULL.

So long

Thomas

Like
Taryck BENSIALI
Taryck BENSIALI Feb 10, 2018

I understand, but it's quite unacceptable to modify project/template by creating a new field in order to get a delta list.

If we need to think on such solution I rather go to the Database it self and search for change timestamp and make my own delta list.

I think proxy still the best option If JIRA Java API doesn't have any thing on webhook.

Like
Like
Anthony France
Anthony France Aug 22, 2018

>t, I think this fine mechanism of web hooks is only used by a few installations.

 

That's because we CAN'T use them with anything, almost every provider I know of that can consume webhooks requires some sort of authentication... 

Like # people like this
Reply
Gabriel Moysés Delfino
Gabriel Moysés Delfino Sep 05, 2018

Hi @Taryck BENSIALI

I'm facing this same problem right now. The suggestion (https://jira.atlassian.com/browse/JRASERVER-31953?_ga=2.151913724.456297363.1536177229-2028571475.1533578870) is still not being considered. Therefore, I ask you, could you manage to find a better solution or are you still using the proxy running on TomCat? Does it work satisfactorily?

 

Respectfully,

Gabriel Delfino

Like
Taryck BENSIALI
Taryck BENSIALI Sep 06, 2018

Hi,

We do not implement this workaround (unaceptable for security reason).

But I recieve the info (I do not remember where) that basic authentification is now supported.

I hope it's helps.

Like
Reply

Comment

Log in or Sign up to comment
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

See all events