Creating an allowlist when basic authentication is disabled

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

When basic authentication is disabled in your environment, you can still crate an allowist for specific users and URLs to use basic authentication in REST API calls. 

Before you begin

To be able to block basic authentication and create allowlist with exception in your environment, you must first install the SSO for Atlassian Server and Data Center app from Atlassian Marketplace. This feature is  supported in Data Center versions of Jira and Confluence. For the complete list of supported versions of these products, see Atlassian Marketplace.

(info) This feature is only available for JIRA version 8.16+.


To create an allowlist

  1. To access basic authentication configuration, send the GET request to:

    ${productBaseUrl}/rest/basicauth/1.0/config

    Here's an example of response to this request:

    {
        "block-requests": true,
        "allowed-paths": ["/rest/greenhooper/*"],
        "allowed-users": ["admin", "john"]
    }
  2. To update basic authentication configuration, send the PUT request to:

    ${productBaseUrl}/rest/basicauth/1.0/config

    In the body, you can configure the allowlist and if basic authentication should be enabled/disabled:

    {
        "block-requests": true,
        "allowed-paths": ["/rest/greenhooper/*"],
        "allowed-users": ["admin", "john"]
    }
    

    allowed-paths and allowed-users accepts wildcard (“*”) which replaces any list of characters.

    Configuration properties are independent, which means that you can change only allowed-users e.g.

    {
        "allowed-users": ["admin", "normalUser", "testUser"]
    }

    block-requests and allowed-paths in such case will not be affected.



Some Atlassian products rely on using username and password for authentication in API calls. Here's a list of URLs we recommend that you add to your allowlist to ensure smooth functioning of some Atlassian products. 

Show me the list...

Jira

  • When Jira acts as Crowd server:

    • /rest/usermanagement/*

    • /rest/appmanagement/*

    • /rest/directorymanagement/*

    • /rest/permissions/*

    • /rest/account/*

    • /rest/pluginmanagement/*

    • /rest/applinks/*

  • To use RSS feeds:

    • /sr/*

    • /activity

Confluence

  • To use Team Calendars:

    • /plugins/servlet/team-calendars/caldav/*

    • /rest/calendar-services/*

  • To use WebDAV:

    • /plugins/servlet/confluence/default

    • /plugins/servlet/confluence/default/*

  • To use RSS feeds:

    • /createrssfeed.action

    • /spaces/createrssfeed.action

    • /feeds/*

Bitbucket

  • To use Git over HTTPS:

    • /scm/*

  • Admin REST API:
    REST endpoints which require admin or sys admin privileges won’t be able to use personal access tokens and would therefore need to be allowlisted for basic authentication. For example:

    • /rest/admin/*




Last modified on Aug 4, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.