Disabling basic authentication

Hello,

is there a way how to disable or deny basic authentication? If you use Desktop Jira Gadget or similar applications the search URL containing your username and password can be seen in Java melody monitoring, no matter if you use SSL or not because it displays decrypted requests and everyone who has access to the monitoring page can see the passwords. Is there any way how to avoid this?

Thanks and regards,

Tomas

1 answer

1 accepted

Basic auth uses headers, so I assume you're referring to authentication using the os_username and os_password query string parameters?

If you're using Apache on your front end and proxying traffic to JIRA, you can set something up to deny access to anyone or anything attempting to authenticate in this manner. Here's a small (and untested) example of how to accomplish this in an Apache vhost:

RewriteEngine on
RewriteCond %{QUERY_STRING} (.*)os_password(.*)
RewriteRule .* - [E=deny_gadget=1]

<LocationMatch ^/jira>
    Order allow,deny
    Allow from all
    Deny from env=deny_gadget
</LocationMatch>

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Thursday in Jira

Meet the AUG leaders of Northern Virginia

@Rachel Wright (Jira Genie), @Billy Poggi (AUG NOVA, DC), and @Dana Jansen (Confluence Queen) are just some of the folks that lead one of the world's most active Atlassian User Group (AUG)....

158 views 5 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you