Hi,
Can any body tell me a good workaround to restrict access to JIRA Rest API? For example I need to block access to certain users etc.. I can restrict it by using Reverse Proxy for given IPs. but Can I do it programtically?
Community moderators have prevented the ability to post new answers.
Implement a plugin using a Servlet Fillter Module (docs), with a pattern matching the REST resource entirely, or parts thereof. Your access logic can be implemented before the rest of the processing chain, and if disallowed for some reason, you can return a 403 authz error.
Thanks for the answer, I dont think we can use servlet filter as rest API is not handled via servelets.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No, I disagree. How do you think the REST API is exposed, eventually? And, having just a Test Case for the above, and echoing out the filtered URL, accessing a test url http://sup-jira:8080/rest/api/2/issue/TEST-1 with a browser I see my filter respond with Filter: http://sup-jira:8080/rest/api/2/issue/TEST-1?null
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
np, please mark as correct answer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Andy,
It worked with JIRA rest API. I tested and confirmed. Sorry for the misunderstanding. Thanks again for the answer.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hello,
well jira's REST api is a developers tool to access, data.
well its open for all and cannot be restriceted.
you can just take precautions for not letting other users to access data by grouping and assigning roles.
well would you like to share the complete concern?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sohil,
Actually my concern was to restrict all users from accessing rest api. because some third party clients may decrease performance of my jira instance. e.g if they are poorly written etc...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Can you please put your comments as comments and not answers?
It will make things easy to read. :-)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes but that wasn't the question.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
One more variant
@GET @Path("/Hello") @Produces({MediaType.APPLICATION_JSON}) public Response getSurvey(@Context SecurityContext sc){ if(isAvaliable(sc)){ return Response.ok(new HelloWorld()).build(); } return Response.ok(new ErrorPage("Not allowed!")).build(); } private boolean isAvaliable(SecurityContext sc){ Principal userPrincipal = sc.getUserPrincipal(); if(userPrincipal instanceof ApplicationUser){ ApplicationUser user = (ApplicationUser) userPrincipal; //Your restrictions ... For example checking is a member of a specific group GroupManager groupManager = ComponentAccessor.getGroupManager(); if(groupManager.isUserInGroup(user, "administrator")){ return true; } } return false; }
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.