In Jira 8.14 and later we’ll be blocking the default possibility to log into Jira by passing credentials via URL parameters (see [JRASERVER-38548] Remove url parameter support for os_username, os_password - Create and track feature requests for Atlassian products.).
This method of authentication has been deprecated since the release of Jira 8.0 on 11th Feb 2019 (see [JRASERVER-67979] Deprecate support for authenticating using os_username, os_password as url query parameters - Create and track feature requests for Atlassian products.).
Since the credentials might end up as a plain text entry in different log files (such as that of load balancers or proxies), this method poses a security risk. To mitigate it, we want to block its default availability, and make it an option only in special cases. We’ll also sanitize the access logs of the Tomcat web server bundled with Jira.
However, for the internal and legacy integrations to keep working, we still want to provide a way to use this method. You’ll have to set a special system property. That way your legacy and/or internal integrations will still work. To keep your logs under control, it’s also a good idea to review your logs for possible credential entries.
If you have any feedback regarding this change, feel free to reach out.
Yours,
The Jira Server Team