Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Locking down the JIRA API - ramifications

Taylor Huston
Taylor Huston April 16, 2018

Hi all,

Per the security requirements of the team I am working with, there can't be any kind of external API access. So far the best way to solve this, that I have came up with, is to block that at the Apache Proxy (different VM) level for anything that's an external IP. IE, I have this in my Apache Virtual Host:

<Location "/rest/api/2/" >
    Order Deny,Allow
    Deny from all
    Allow from 10.
</Location>


Initial testing looks good, but are there any ramifications I am not thinking of? Could it potentially break any Add-ons, for example?

Answer
Watch
Like Be the first to like this
2139 views

3 answers

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 17, 2018

You will need to allow REST calls to all your users, or dashboards, gadgets and integrations will fail.

However, your security requirements are based on faulty understanding.  The REST API is simply a (slightly less functional) interface on to the web-ui.  There is no point in blocking it because everything you can do with REST can be done by a user with a browser.   REST respects the permissions and security that you set up for UI users.

Blocking REST provides you absolutely no security benefits, it just breaks stuff. 

View More Comments
Taylor Huston
Taylor Huston April 17, 2018

Ugh wrong account

Like
Taylor Huston
Taylor Huston April 17, 2018

There is currently 2FA SAML in front of JIRA for the web-ui. Using the Rest API with Basic Auth bypasses that and that's a security no-go here. 

Like
Reply
0 votes
Tzu Hau Chai
Tzu Hau Chai
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 17, 2018

Do you have any users that uses JIRA externally? I doubt you can do this unless all your user base only access JIRA internally, as there are rest api calls as well during normal usage.

Reply
0 votes
David Yu
David Yu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 17, 2018

I believe sometimes the browser itself will make calls to /rest/api/2. For example, just loading the Rapid Boards I can see a request to /rest/api/2/project. 

Maybe you could inspect the referrer as most browser generated ones will have a value?

I guess this is good preventative measure to prevent users from integrating a cloud service without permission since most will operate via the rest api. Is that the main goal?

View More Comments
Taylor Huston
Taylor Huston April 17, 2018

Wrong account

Like
Taylor Huston
Taylor Huston April 17, 2018

Yeah, but I THINK that can be avoided with the subnet rules. I am hoping that as long as I allow api calls from localhost, it should be fine. Hoping.

Like
David Yu
David Yu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 17, 2018

That won't be enough as the requests will not be coming from localhost. They'll be coming from the end-user.

Somewhat related but you may also be interested in this:

https://community.atlassian.com/t5/Jira-questions/What-s-the-best-way-to-require-login-on-every-page/qaq-p/765834#M248511

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events