Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Restricting JIRA REST API based on user's IP address

Sameera Shaakun2
Sameera Shaakunthala [inactive]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 7, 2013

We plan to restrict REST API access only from a selected set of IP addresses. Since REST calls are actually HTTP requests, I'm thinking of a way to use Apache (reverse proxy) in order to restrict API calls.

My question is, is there any specific URL patterns used by REST API calls?

So far I have observed /rest/* URL pattern in some HTTP requests made by the browser, so /rest/* alone can't be used as a filter.

Watch
Like George Irwin likes this
6848 views

6 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

1 vote
Answer accepted
Renjith Pillai
Renjith Pillai
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 7, 2013

Yes I guess. "/rest" alone is sufficient. But remember, this will block all the gadgets, Greenhopper etc. from doing rest calls. JIRA itself uses rest calls for many of the functionalities. So it is not actually right to restrict that path.

View More Comments
Sameera Shaakun2
Sameera Shaakunthala [inactive]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 7, 2013

Exactly. It will block the gadgets. What I'm looking for is a way to block REST without blocking any gadgets.

Thanks!

Like
Renjith Pillai
Renjith Pillai
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 7, 2013

It's tough Sameera, what I can think of is to block, rest/api/latest and do some user tests to see whether JIRA is working fine.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 7, 2013

I think this is pretty much a non-starter.

Apart from the fact that it is a doddle to bypass restrictions by IP, as Renjith says, Jira uses REST internally, so you *must* allow *all* of your user clients to use it, or a lot of stuff stops working.

This makes it pretty much an all-or-nothing approach - either you can access Jira (and REST) or you can't at all.

Is there a reason you want to restrict REST? It might be easier to examine that to see if you can implement it differently.

Like
Sameera Shaakun2
Sameera Shaakunthala [inactive]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 7, 2013

The reson is, when REST is enabled any user can use their own developed client application with JIRA. If these apps are not thoroughly tested, they might affect JIRA's performance.

Therefore we decided to disable the API.

Like
Sameera Shaakun2
Sameera Shaakunthala [inactive]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 29, 2013

I understand that restricting is not an option accoring to your answer and comments. In that case, is their any possible method to monitor the usage of JIRA remote API by users?

Like Daniel Lecoq likes this
Reply
1 vote
IshanL
IshanL
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 29, 2013

Hi Shaakunthala,

Why dont you ask your developers to write servlet filter plugin to restric API access?

https://answers.atlassian.com/questions/163535/restrict-access-to-rest-api?page=1#comment-163625

Thanks,

Ishan

View More Comments
Sameera Shaakun2
Sameera Shaakunthala [inactive]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 29, 2013

Thanks for the suggestion; theoritically it should work I guess.

But, as highlighted in Renjith's answer and Nic's comment above, will it prevent lots of stuff working? Will this servlet filter impose on dashboard gadgets too?

Like
IshanL
IshanL
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 29, 2013

it up to developers to define the logic. In this way you have the flexibiliyty to control your logic than reverser proxy method.

Like
Reply
0 votes
Andrzej Warycha1
Andrzej Warycha January 2, 2014

To be more accurate. REST API is available all the time regardless of "Accept Remote API calls" option value. More here https://jira.atlassian.com/browse/JRA-31822

Reply
0 votes
IshanL
IshanL
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 28, 2013

Hi Pankaj,

What is the relavance of this answer?

View More Comments
Pankaj Jangid
Pankaj Jangid
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 28, 2013

The original poster had asked if there is a url pattern that he can use. So I explained there is a pattern and a developer can customize the pattern.

Like
Sameera Shaakun2
Sameera Shaakunthala [inactive]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 29, 2013

Hi Pankaj,

My question is not a development question. It's a JIRA administration question.

Say there's a JIRA instance. From JIRA's General Configuration, if we enable the 'Accept Remote API calls' option, anyone will be able to access the API. Individual developers will have the flexibility to write their own JIRA client applications and use them on JIRA.

Since these clients may not have properly tested and since we do not know of any bugs in these clienets that may degrade performance of JIRA, we have decided to disallow remote API access. However, we still need to provide remote API access to one or two people, in order to automate several things. That is my question.

As far as I understand, your answer states how to create new REST methods (in a plug-in) and allow access to them. This may perhaps fit to my requirement, but I'm afraid that we might have to re-write/ extend the entire API into a new plug-in!

Thanks!

--

Shaakunthala

Like
Reply
0 votes
Pankaj Jangid
Pankaj Jangid
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 28, 2013

You can customize the url pattern. And use that in reverse proxy. Here is how:-

To create RESTful API in plugin you must have specified <rest> element in "atlassian-plugin.xml". In the <rest> element there is a "path" attribute. Use it like this,

&lt;rest name="Example REST Resource" i18n-name-key="example-rest-resource.name" key="example.rest.resource" path="/example" version="1.0"&gt;
        &lt;description key="example-rest--resource.description"&gt;The Example REST Resource Plugin&lt;/description&gt;
    &lt;/rest&gt;

Now, the URL to the services would be like this,

http://mywiki.example.com:8080/rest/example/1.0/myclass/mymethod

The class containing the service implementation is like this,

@Path("/myservice")
public class MyService
{
  @GET
  @Path("/mymethod")
  @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
  public Response mymethodImpl()
  {
  ...
  }
}

So the generic pattern of URL is "/rest/myservicepath", where "myservicepath" is the path attribute of <rest> element. And you can use reverse proxy around this.

Reply
0 votes
IshanL
IshanL
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 28, 2013

As Sameera suggested, Can we block user or group from accessing rest api? I tried to find, but could not so far.

Reply

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events