Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Disabling basic authentication

Tomas Klima
Tomas Klima December 15, 2013

Hello,

is there a way how to disable or deny basic authentication? If you use Desktop Jira Gadget or similar applications the search URL containing your username and password can be seen in Java melody monitoring, no matter if you use SSL or not because it displays decrypted requests and everyone who has access to the monitoring page can see the passwords. Is there any way how to avoid this?

Thanks and regards,

Tomas

Answer
Watch
Like Be the first to like this
1301 views

1 answer

1 accepted

0 votes
Answer accepted
Aseem Parikh
Aseem Parikh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 16, 2013

Basic auth uses headers, so I assume you're referring to authentication using the os_username and os_password query string parameters?

If you're using Apache on your front end and proxying traffic to JIRA, you can set something up to deny access to anyone or anything attempting to authenticate in this manner. Here's a small (and untested) example of how to accomplish this in an Apache vhost:

RewriteEngine on
RewriteCond %{QUERY_STRING} (.*)os_password(.*)
RewriteRule .* - [E=deny_gadget=1]

<LocationMatch ^/jira>
    Order allow,deny
    Allow from all
    Deny from env=deny_gadget
</LocationMatch>

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events