I saw a user with 6000 plus logins. Checked user sessions. Saw that, at a point during the day, he had 60 or so REST sessions with 1 request each. I know the user and asked him if he was running a bot/script using the JIRA's ReST api. He said he wasn't.
I have also seen other users with REST sessions, they are users where I would not expect them to have a REST session. Although they didn't have multiple sessions with 1 request but one session with many requests.
Why do these users have REST sessions? Do some of the plugins or gadgets use REST sessions?
How secure is the REST API? Right now our instance(JIRA 6.3.6) is internal but there is some discussion about putting it in the DMZ.
Any guidance about REST with an instance reachable from outside our domain? Should I disable remote API in this case and what effect does that have for application links?
Community moderators have prevented the ability to post new answers.
Some of the functions inside JIRA use REST sessions to talk to the core. Gadgets on the dashboard for example.
This is an old question, but seems unanswered in the community, still.@Nic Brough -Adaptavist-'s answer seems to suggest that the session type might be determined by whether the page loaded at login contains REST-dependent elements? That does seem to be the case based on some rudimentary tests.
I had only ever seen an HTTP session with my account, so I identified the Dashboard being used by one of the users who had multiple REST sessions and no HTTP sessions. I added that person's Dashboard to my favorities, viewed the dashboard (so it would be the first page to load when I logged in again), logged out of JIRA, closed all JIRA tabs in my browser, opened a new tab, went to the base url for our JIRA install, logged in and then checked the User Sessions. My account was listed as a REST session.
Then logged in through an Incognito browser window on the same machine and also through a mobile browser on a phone. Both of those loaded the same Dashboard and registered as REST sessions.
The dashboard in question uses the Sprint Health and Spring Burndown gadgets. One or both of those apparently forces a REST session. Standard gadgets like pie charts and 2D filter statistics don't.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That's right - older gadgets from plain Jira ask the API for data directly. Newer gadgets (especially those in Software) make the calls over REST. So a user using a browser on a dashboard (and increasingly, other places), is also making REST calls.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.