Hello,
is there a way how to disable or deny basic authentication? If you use Desktop Jira Gadget or similar applications the search URL containing your username and password can be seen in Java melody monitoring, no matter if you use SSL or not because it displays decrypted requests and everyone who has access to the monitoring page can see the passwords. Is there any way how to avoid this?
Thanks and regards,
Tomas
Basic auth uses headers, so I assume you're referring to authentication using the os_username and os_password query string parameters?
If you're using Apache on your front end and proxying traffic to JIRA, you can set something up to deny access to anyone or anything attempting to authenticate in this manner. Here's a small (and untested) example of how to accomplish this in an Apache vhost:
RewriteEngine on RewriteCond %{QUERY_STRING} (.*)os_password(.*) RewriteRule .* - [E=deny_gadget=1] <LocationMatch ^/jira> Order allow,deny Allow from all Deny from env=deny_gadget </LocationMatch>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.