Encrypt URL when creating an issue via URL

Is it possible to encrypt the information in the URL when creating an issue on the form http://jira.atlassian.com/secure/CreateIssueDetails.jspa?pid=10420&issuetype=1&customfield_10010=hooray&os_username=test&os_password=testPass

I'm most worried about the username and password beeing sumbmitted in plain text, it would feel much better if I could use a hash function on them before sumbitting.

3 answers

0 votes

If you're worried about security then don't pass the credentials as parameters. What context is this form being used in, are you embedding it in some other app for instance?

For a start you could use http post rather than get, then consider some form of SSO.

The url is generated from our application to assist the user when creating a bug report in Jira. The application helps the user with filling in information like version info etc, then the user has to fill in specific information about the bug before submitting.

I've evaluated using post, but I dont think it would meet my requirements.

When reading on the following pages I get the feeling that building an URL in the way I've done is the way it's supposed to be done. There is a section about this problem, and from what I can understand the workaround is to login in a separate session, get the cookie and then supply the cookie to my browser. How ever, it would make much more sense to me if I could just encrypt the username and password in the url.

http://confluence.atlassian.com/display/JIRACOM/Automating+JIRA+operations+via+wget

http://confluence.atlassian.com/display/JIRA/Creating+Issues+via+direct+HTML+links

You must be using a common account then. If you leave off the credentials from the url then the user will have to logon, then be redirected to the page with the values pre-filled.

> http://confluence.atlassian.com/display/JIRACOM/Automating+JIRA+operations+via+wget

I think this is more for administrative purposes.

Any encryption would just be smoke and mirrors because jira will require the plaintext credentials.

I regularly use the wget stuff for simple scripts, but exactly as Jamie says, I have to work on the assumption that the user is already logged into Jira. SSO makes that very easy.

There is a way to do it (I use following method in my plugin):

1. Build a JIRA plugin

2. The plugin creates a certificate (public & private keys) by using Java at the server side

3. Include an invisible Flash Player in the JIRA plugin and load it into the web page

4. The Flash Player downloads the PUBLIC key from the server

5. Call the Flash Player to ecncrypt data by using Javascript

6. Pass encrypted data to the server and decrypt them by using the PRIVATE certificate.

This migh also be useful for you:

http://www.jcryption.org/

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted yesterday in Featured Groups

Tuesday tips & tricks: What is the Atlassian Community?

It's officially Tuesday, which means it's officially time for another tip to help you better navigate this space we call the Atlassian Community. 😄 I got a great question from community member, Sa...

40 views 2 3
View post

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you