How to identify basic auth requests in Jira

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

This article offers a way admins can identify which requests to Jira are using BASIC authentication. You may also identify which usernames are performing such requests.

This may be useful if you plan on disabling BASIC Auth in your instance and want to assess the impact first or notify the respective users.

Environment

All versions of Jira Core 7.x, 8.x., 9.x and 10.x

Solution

This alternative relies on two log files:

1
2

<jira-home>/log/atlassian-jira-security.log
<jira-install>/logs/access_log.yyyy-mm-dd

For the sake of simplicity, we're assuming jira-home as /home/jira and jira-install as /opt/jira. In the commands below, you should replace these by your respective directories.

Every time a BASIC auth is performed or a user logs through the browser, a line similar to this is logged in atlassian-jira-security.log:

2021-10-18 14:01:34,042-0300 http-nio-8080-exec-25 admin 841x20x1 - 0:0:0:0:0:0:0:1 /rest/api/2/issue/SWA-1 The user 'admin' has PASSED authentication.

We are going to match these "PASSED" lines with the access log's through the Request Id (eg. 841x20x1). For that, we'll exclude all lines containing the "Mozilla/" string that matches User-Agents and indicates browser access.

1) Filter out browser requests

The command below excludes all requests coming from the common browsers:

grep -v "Mozilla/" /opt/jira/logs/access_log.2021-10-18 >> ./access_log_api.log

grep "PASSED" /home/jira/log/atlassian-jira-security.log >> ./security_api.log

2) Filter out known users (optional)

If you already know users that make use of BASIC Auth, you may filter them out of the access log to optimize the next step (ie. fewer data to parse):

egrep -v "some_known_user|some_other_known_user|etc" ./access_log_api.log >> ./access_log_api_filtered.log

egrep -v "some_known_user|some_other_known_user|etc" ./security_api.log | cut -d" " -f5 | sort | uniq >> ./security_api_filtered.log

3) Match the PASSED auth requests to access log entries

The command below will match each PASSED record in the atlassian-jira-security.log to the corresponding entry in access log through the request ID:

while IFS= read -r req_id; do; grep -m 1 $req_id ./access_log_api_filtered.log; done < ./security_api_filtered.log

The output of such a command will be all requests that have PASSED Basic authentication.

You may also output it to a file for further parsing:

while IFS= read -r req_id; do; grep -m 1 $req_id ./access_log_api_filtered.log >> access_log_final.log; done < ./security_api_filtered.log

You may further optimize the parsing by excluding more usernames you already identified (step #2).

If you have a centralized log platform, you may follow the same strategy as above: match the Request Id between the security and access logs and filter out as much data as you can (ignore Browser requests, known users, etc).

Updated on March 24, 2025

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Atlassian Support