HTTP basic authentication

Owned by Mari Fuglem
Last updated: Sept 23, 2024 by August Heltne
2 min read

Users can authenticate using an HTTP Basic Auth header with the rest API using their password.

image-20240620-125555.png

Prevent HTTP Basic Authentication

To avoid use of password in REST integrations, Prevent HTTP Basic Authentication.

When prevented, it is no longer possible to authenticate to the REST API with password in Basic Auth.

image-20240620-125823.png

Allow or deny Basic Auth for certain IP addresses

Allow or deny Basic Auth API requests for users with specific IP addresses or subnets. Open and Strict mode enables you to control in detail which IP addresses can use password on Basic Auth on incoming REST API request.

Note

The users must be in a directory or group that is allowed to use Basic Auth

The IP address is checked first, then the group/directory memberships.

 

Allow Basic Auth for users in specific user directories or groups

Allow users in specific user directories or groups to use passwords in Basic Auth REST API requests. Any user either matching a configured group or directory will be allowed to use Basic Auth.

Users not in the allowed user directories or groups will get a message as configured in customizable texts.

 

Re enable Basic Auth

If necessary, you may re-enable Basic Auth by deleting the following file on your application server:

/usr/local/atlassian/…disable_basic_auth_rest.txt

It can take up to a minute for changes to take effect.