Creating an allowlist when basic authentication is disabled

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

When basic authentication is disabled in your environment, you can still create an allowlist for specific users and URLs to use basic authentication in REST API calls.

Before you begin

To be able to block basic authentication and create an allowlist with exceptions in your environment, you must first install the SSO for Atlassian Data Center app from Atlassian Marketplace. This feature is supported in Data Center versions of Jira and Confluence. For the complete list of supported versions of these products, see Atlassian Marketplace.

To create an allowlist

  1. To access basic authentication configuration, send the GET request to:

    ${productBaseUrl}/rest/basicauth/1.0/config

    Here's an example of response to this request:

    {
        "block-requests": true,
        "allowed-paths": ["/rest/greenhooper/*"],
        "allowed-users": ["admin", "john"]
    }
  2. To update basic authentication configuration, send the PUT request to:

    ${productBaseUrl}/rest/basicauth/1.0/config

    In the body, you can configure the allowlist and if basic authentication should be enabled/disabled:

    {
        "block-requests": true,
        "allowed-paths": ["/rest/greenhooper/*"],
        "allowed-users": ["admin", "john"]
    }
    

    allowed-paths and allowed-users accepts wildcard (“*”) which replaces any list of characters.

    Configuration properties are independent, which means that you can change only allowed-users e.g.

    {
        "allowed-users": ["admin", "normalUser", "testUser"]
    }

    block-requests and allowed-paths in such case will not be affected.


Some Atlassian products rely on using username and password for authentication in API calls. Here's a list of URLs we recommend that you add to your allowlist to ensure smooth functioning of some Atlassian products:

Show me the list...

Jira

  • When Jira acts as Crowd server:

    • /rest/usermanagement/*

    • /rest/appmanagement/*

    • /rest/directorymanagement/*

    • /rest/permissions/*

    • /rest/account/*

    • /rest/pluginmanagement/*

    • /rest/applinks/*

  • To use RSS feeds:

    • /sr/*

    • /activity

Confluence

  • To use Team Calendars:

    • /plugins/servlet/team-calendars/caldav/*

    • /rest/calendar-services/*

  • To use WebDAV:

    • /plugins/servlet/confluence/default

    • /plugins/servlet/confluence/default/*

  • To use RSS feeds:

    • /createrssfeed.action

    • /spaces/createrssfeed.action

    • /feeds/*

Bitbucket

  • To use Git over HTTPS:

    • /scm/*

  • Admin REST API:
    REST endpoints which require admin or sys admin privileges won’t be able to use personal access tokens and would therefore need to be allowlisted for basic authentication. For example:

    • /rest/admin/*


Crowd

  • When Crowd acts as a user directory/legacy Crowd SSO provider:
    • /rest/usermanagement/*




Last modified on Jan 21, 2025

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.