Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

I am seeing REST sessions in JIRA and don't know why?

Timothy Harris
Timothy Harris March 12, 2015

I saw a user with 6000 plus logins. Checked user sessions. Saw that, at a point during the day, he had 60 or so REST sessions with 1 request each. I know the user and asked him if he was running a bot/script using the JIRA's ReST api. He said he wasn't. 

I have also seen other users with REST sessions, they are users where I would not expect them to have a REST session. Although they didn't have multiple sessions with 1 request but one session with many requests.

Why do these users have REST sessions? Do some of the plugins or gadgets use REST sessions?

How secure is the REST API? Right now our instance(JIRA 6.3.6) is internal but there is some discussion about putting it in the DMZ.

Any guidance about REST with an instance reachable from outside our domain? Should I disable remote API in this case and what effect does that have for application links?

Watch
Like Be the first to like this
1422 views

1 answer

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

1 vote
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 12, 2015

Some of the functions inside JIRA use REST sessions to talk to the core.  Gadgets on the dashboard for example.

View More Comments
Randall Robertson
Randall Robertson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 7, 2018

This is an old question, but seems unanswered in the community, still.@Nic Brough -Adaptavist-'s answer seems to suggest that the session type might be determined by whether the page loaded at login contains REST-dependent elements?  That does seem to be the case based on some rudimentary tests.

I had only ever seen an HTTP session with my account, so I identified the Dashboard being used by one of the users who had multiple REST sessions and no HTTP sessions. I added that person's Dashboard to my favorities, viewed the dashboard (so it would be the first page to load when I logged in again), logged out of JIRA, closed all JIRA tabs in my browser, opened a new tab, went to the base url for our JIRA install, logged in and then checked the User Sessions. My account was listed as a REST session.

Then logged in through an Incognito browser window on the same machine and also through a mobile browser on a phone. Both of those loaded the same Dashboard and registered as REST sessions.

The dashboard in question uses the Sprint Health and Spring Burndown gadgets. One or both of those apparently forces a REST session. Standard gadgets like pie charts and 2D filter statistics don't.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 7, 2018

That's right - older gadgets from plain Jira ask the API for data directly.  Newer gadgets (especially those in Software) make the calls over REST.  So a user using a browser on a dashboard (and increasingly, other places), is also making REST calls.

Like
Reply
Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events