Disabling basic authentication


is there a way how to disable or deny basic authentication? If you use Desktop Jira Gadget or similar applications the search URL containing your username and password can be seen in Java melody monitoring, no matter if you use SSL or not because it displays decrypted requests and everyone who has access to the monitoring page can see the passwords. Is there any way how to avoid this?

Thanks and regards,


1 answer

1 accepted

Basic auth uses headers, so I assume you're referring to authentication using the os_username and os_password query string parameters?

If you're using Apache on your front end and proxying traffic to JIRA, you can set something up to deny access to anyone or anything attempting to authenticate in this manner. Here's a small (and untested) example of how to accomplish this in an Apache vhost:

RewriteEngine on
RewriteCond %{QUERY_STRING} (.*)os_password(.*)
RewriteRule .* - [E=deny_gadget=1]

<LocationMatch ^/jira>
    Order allow,deny
    Allow from all
    Deny from env=deny_gadget

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,227 views 14 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot