Security Behind Jira's APIs

kevin.yin · August 18, 2017, 7:32pm

Dear Atlassian community,

I am currently attempting to automate JIRA ticket creation through APIs, as an added feature of my web application I am developing. My question is related to security.

Using the API’s, JIRA basic authentication requires the user to offer their JIRA password. Is this information secure as it is being sent from my application server to JIRA? Do I need to ensure that my website has SSL certification for this to be secure, even though my application is only exists on the intranet of our company (only accessible by anyone who is connected to the Wifi). If I instead use JIRA’s Oauth option, will this be any better?

Thank you,
Kevin

daniel · August 18, 2017, 8:37pm

You’re never too secure

That said, basic auth is only slightly more secure than anonymous access (the password is pretty much being sent in plain text). If there’s SSL - that’s better but it’s still not awesome…

Oauth will be more secure since the passwords aren’t passed around (only the tokens). Depending on what you’re doing - you might want to look at Atlassian Connect since that will give your webapp a dedicated user to create things.

david.pinn · August 19, 2017, 7:08am

I agree that there are risks associated with entry, storage, and handing of user credentials in a web application; but in terms of the actual usage of those credentials in calls to the JIRA Server, SSL does ensure both secrecy (encryption) and authentication. Are you referring to other un-awesomeness?

In regard to calls from your web application to JIRA, Kevin, it is the JIRA server’s SSL certificate that is involved. In regard to the process of collecting username/password combinations from the end user, if you want that to happen over SSL too, then you’ll need to install an SSL certificate on your web application’s server.

You don’t need to spend money in order to obtain an SSL certificate; you can get one for free from Let’s Encrypt.

daniel · August 19, 2017, 7:38am

More referring to that it’s still plain text that is just encrypted during transit between the client and the ssl termination point. Depending on the server implementation (say an ssl proxy in front of tomcat) - you could get hold of it when it’s on the local server.

My point was that just because that you have SSL - it doesn’t mean you’re 100% secure (it’s a good start though ). I personally avoid basic auth because if the http headers can be accessed, the username/password is available. I’m going to put this down to me being paranoid from working in an operations team for a while.

+1 on Letsencrypt (note though that if you have old web clients(I want to say older than 5 years) they may have issues with the certificate)

kevin.yin · August 23, 2017, 8:48pm

Thanks guys, your responses have been great. I think I have a better understanding through how the security works for the different outlets of connection, but I still have one more question. If I implement JIRA’s Oauth connection, will having SSL certification still be necessary for security? Also, for an intranet application like mine, that is only accessible by employees on our local network, are the same SSL certificates still usable?