We added the compatibility to the newest Jira version. Please be aware that this free app will be retired on 15th November 2022. Existing customers can continue using the latest installed version of the app after this date but there will ne no future releases.As this app was unsupported for a long time the effort for keeping it running was voluntary and no revenues were generated.
Protect filters which are shared with all users
Accessing such filters (Example: https://your-jira-domain.com/secure/ManageFilters.jspa) redirects to the login form. Saved filters, filter owner incl. mail adress will be protected.
Protect dashboards which are shared with all users
Accessing your Jira dashboards (Example: https://your-jira-domain.com
Redirecting all requests to the login form
Next to popular filters and dashboards also the quicksearch and other content requests from your Jira instance will be redirected to the login form.
Dashboards and filters can be shared with anyone. This also includes users which are not logged in (the "famous" anonymous users). This issue is opend and discussed here: https://jira.atlassian.com/browse/JRA-23255
While Jira displays a warning message that such sharing may not have the intended consequences it is so far impossible for an admin to prevent the sharing or access without patching the Jira source code.
A second problem is the quick search which can also be executed by an anonymous user and depending on the settings in the projects may or may not show some issues.
The "Prevent Anonymous Access" add-on prevent these redirecting any requests to the login form.
There is also a configurable whitelist to allow specific requests without login, for example to integrate with other tools.
- Version 2.0 • Released 2016-06-06 • No Vendor Support • Free • Commercial - no charge
So far the add-on contained a fixed set of whitelist entries. There are cases related to login (Single-Sign-On aka SSO) where this behavior prevented the use of this add-on.
With this 2.0 release two menu entries were added to the add-on section of the admin menu to:
- Add, view and remove whitelist entries (a regexp for an URL)
- View rejected requests. It is also possible to add the URL verbatim as a whitelist entry with a click
A word of caution is in order here: While it may be convenient to whitelist all rejected URLs you should only allow the URLs which are required for login, captcha and password reset. The attack surface should be as minimal as possible.
- Version 1.7 • Released 2016-01-05 • Supported By codecentric AG • Free • Commercial - no charge
ScriptRunner for Jira tries to access some REST resource at the login screen and does not fail gracefully when the request is declined. Result is a complete hang of the login form. This is fixed with a white list of the rest resource.