Disabling basic authentication

Hello,

is there a way how to disable or deny basic authentication? If you use Desktop Jira Gadget or similar applications the search URL containing your username and password can be seen in Java melody monitoring, no matter if you use SSL or not because it displays decrypted requests and everyone who has access to the monitoring page can see the passwords. Is there any way how to avoid this?

Thanks and regards,

Tomas

1 answer

1 accepted

Accepted Answer
0 votes

Basic auth uses headers, so I assume you're referring to authentication using the os_username and os_password query string parameters?

If you're using Apache on your front end and proxying traffic to JIRA, you can set something up to deny access to anyone or anything attempting to authenticate in this manner. Here's a small (and untested) example of how to accomplish this in an Apache vhost:

RewriteEngine on
RewriteCond %{QUERY_STRING} (.*)os_password(.*)
RewriteRule .* - [E=deny_gadget=1]

<LocationMatch ^/jira>
    Order allow,deny
    Allow from all
    Deny from env=deny_gadget
</LocationMatch>

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 18, 2018 in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

22,369 views 2 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you