How to identify basic auth requests in Jira
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
This article offers a way admins can identify which requests to Jira are using BASIC authentication. You may also identify which usernames are performing such requests.
This may be useful if you plan on disabling BASIC Auth in your instance and want to assess the impact first or notify the respective users.
Environment
All versions of Jira Core 7.x and 8.x.
Solution
This alternative relies on two log files:
<jira-home>/log/atlassian-jira-security.log
<jira-install>/logs/access_log.yyyy-mm-ddFor sake of simplicity, we're assuming jira-home as /home/jira and jira-install as /opt/jira. You should replace these by your respective directories in the commands below.
Every time a BASIC auth is performed or a user logs through the browser, a line similar to this is logged in atlassian-jira-security.log:
2021-10-18 14:01:34,042-0300 http-nio-8080-exec-25 admin 841x20x1 - 0:0:0:0:0:0:0:1 /rest/api/2/issue/SWA-1 The user 'admin' has PASSED authentication.We are going to match these "PASSED" lines with the access log's through the Request Id (eg. 841x20x1). For that, we'll exclude all lines containing the "Mozilla/" string that matches User-Agents and indicates browser access.
1) Filter out browser requests
The command below excludes all requests coming from the common browsers:
grep -v "Mozilla/" /opt/jira/logs/access_log.2021-10-18 >> ./access_log_api.log
grep "PASSED" /home/jira/log/atlassian-jira-security.log >> ./security_api.log2) Filter out known users (optional)
If you already know users that make use of BASIC Auth, you may filter them out of the access log to optimize the next step (ie. less data to parse):
egrep -v "some_known_user|some_other_known_user|etc" ./access_log_api.log >> ./access_log_api_filtered.logegrep -v "some_known_user|some_other_known_user|etc" ./security_api.log | cut -d" " -f5 | sort | uniq >> ./security_api_filtered.log3) Match the PASSED auth requests to access log entries
The command below will match each PASSED record in the atlassian-jira-security.log to the corresponding entry in access log through the request ID:
while IFS= read -r req_id; do; grep -m 1 $req_id ./access_log_api_filtered.log; done < ./security_api_filtered.logThe output of such command will be all requests that have PASSED Basic authentication.
You may also output it to a file for further parsing:
while IFS= read -r req_id; do; grep -m 1 $req_id ./access_log_api_filtered.log >> access_log_final.log; done < ./security_api_filtered.logYou may further optimize the parsing by excluding more username you already identified (step #2).
If you have a centralized log platform, you may follow the same strategy as above: match the Request Id between the security and access logs and filter out as much data as you can (ignore Browser requests, known users, etc).