Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIRA Client user agent filter

Sandro Juković
Sandro Juković December 6, 2011

Hi,

We wanted to block user agent Jakarta Commons-HttpClient/3.0 (JIRA Client/2.3.5.5825.285) from downloading data from our JIRA.

Atlassian told us to do that on a network/server level.

My System admin has configured .htaccess file and now nothing happens (JIRA client still downloads info from JIRA). He told me that JIRA Apache server is somewhat different and that he isn't sure if he put a file in the right directory.

Directories where the file is are:
1. C:\Atlassian\JIRA 4.1.2\atlassian-jira
2. C:\Atlassian\JIRA 4.1.2\bin

.htaccess file contains this text:
"BrowserMatchNoCase Jakarta bad_bot
Order Deny,Allow
Deny from env=bad_bot"

He is not an expert for Apache servers, but MS expert so we need help on this issue.

Thanks,

Answer
Watch
Like Be the first to like this
756 views

1 answer

1 accepted

0 votes
Answer accepted
Igor Sereda [ALM Works]
Igor Sereda [ALM Works]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 6, 2011

Hi Sandrox, may I ask you why would you block JIRA Client? It's not a bot, it's a user agent - a desktop application for working with JIRA - see details here. If you think your JIRA Server is stressed because of JIRA Client, it's often an indication that the server is at its maximum capacity and needs upgrade. But JIRA Client users can also be advised to lower the update rate to minimize the effect on the server.

Anyway, if you would still like to block it by User Agent, the important question is whether all your requests to JIRA are served through Apache. Your configuration looks valid, but it applies only to requests coming through Apache. Also, check that AllowOverride for the directory includes FileInfo and Limit.

Igor

View More Comments
Sandro Juković
Sandro Juković December 6, 2011

Hi Igor,

Thanks for your answer and help,

first of all, I have downloaded JIRA Client trial to test its features, it works fine. But the problem is that we have some Custom fields which we are hiding from certain external users.

In browsers like Chrome, Mozilla, IE etc., this hiding works fine. It also works for apps on mobile phones. Only JIRA Client can see this hidden fields. Even when we turn off remote API (I have also turned off RPC service and REST service). So, when some user adds hidden fields to his view in JIRA client he can see them.

Therefore, this is a security risk for us and that is the reason we want to turn off access to JIRA Client's user agent.

"Also, check that AllowOverride for the directory includes FileInfo and Limit." --> how to set this up?

Cheers,

Like
Igor Sereda [ALM Works]
Igor Sereda [ALM Works]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 6, 2011

Thanks for the explanation! I see.

From security standpoint, JIRA Client does not exploit any unknown holes and does not do any magic. You can block JIRA Client but the security vulnerability of your configuration will still remain. If JIRA Client can easily get that data from your system, so can any other hand-crafted code.

I would check the XML view of the issues, which is mainly used to load issue data. Open any issue and select XML view, then see if the sensitive fields are there. Note that if XML view is disabled from your menus, it doesn't mean that it won't work if requested directly via URL.

On Apache: AllowOverride is typically set in the site configuration file, like /etc/apache2/sites-enabled/whatever-site-name-is, inside <Directory> setting. You can change it to AllowOverride All.

Hope this helps
Igor

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
atlassian, team '25 europe, atlassian event, barcelona 2025, jira, confluence, atlassian intelligence, rovo, ai-powered collaboration, developer tools, agile teams, digital transformation, teamwork solutions, atlassian conference, product announcements

🌆 Team '25 Europe registration is now open!

Join the largest European gathering of the Atlassian Community and reimagine what’s possible when great teams and transformative technology come together. Plus, grab your Super Fan ticket now and save over €1,000 on your pass before prices rise on 3 June.

Register now
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.