Upcoming change in logging in with passing credentials in URL parameters

In Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see https://jira.atlassian.com/browse/JRASERVER-38548).

This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see https://jira.atlassian.com/browse/JRASERVER-67979).

Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira.

However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries.

If you have any feedback regarding this change, feel free to reach out.

The Jira Server Team

1 Like