Adding more Security to JIRA


I made a post a few years ago about monitoring JIRA for suspicious user activity.

In this post I want to give some ideas for how to increase security of your JIRA.

Addition Security Measure Ideas

1) Force the user to input a ‘strong password’

There is a post on JIRA support that contains an user-uploaded changepassword.jsp that has been amended to do a javascript check of the users desired password.  The javascript ensures that the user has input more than 8 characters, used a combination of lower/upper case and has added a number etc.  This prevents people from using stupid passwords like “cat1”.

2) Suggest users to make their password memorable

If the password can be easily remembered, the user will be able to access from an alien PC (hotel, business trip etc) without bothering you to reset it for them.  Also, it reduces the chance of them writing it down on a postit note and sticking it on their monitor or in their top desk drawer.

To do this, on the changepassword.jsp I added some HTML to suggest to the user that they make the password memorable for the reasons above.  I also suggested they use [location] + [year] as their password.  e.g.  london1969.

3) Do not send out username and password in the same email

By default, JIRA will send out an email like this to the new user upon creation:

A JIRA account has been created for you at:

Here are the details of your account:
Username: bobsmith
Full Name: Bobby Dong Smith
Password: coolpassword

There is some chance of this email being intercepted on the way, so it may be better not to show the password in this email.  Instead, you can send it to them in a separate email.

To do this, you need to change the password line in userdetails.vm as follows:

$stringUtils.leftPad($i18n.getText(“template.user.details.password”), $padSize): $i18n.getText(“PASSWORD WILL BE PROVIDED SEPARATELY”)

This will replace “coolpassword” in the above example with “PASSWORD WILL BE PROVIDED SEPARATELY”

The userdetails.vm file can be found in this path:


There is some discussion about this on JIRA support.

4) Prevent automated hacking by banning an IP if it repeatedly fails to login

You do this with fail2ban, as suggested by Atlassian.

This works great, however you have to be careful.  Some offices will share one IP among all their users. If one user forgets his password and tries to guess it, he will ban the whole office from JIRA.  Therefore, be sensible with the fail2ban settings.  I would imagine something like a 2 minute ban when the user fails to login 8 times in a minute would be a reasonable balance of user friendliness and protection from a brute force attempt.

5) Delegate responsibility!

Hopefully the ‘project leads’ of your JIRA projects are familiar with the system and can competently manage users/security schemes etc.  I would suggest to make them as responsible as possible for the users in their project (or Space in Confluence), by teaching them how to use the system, the need of security, and even giving them an annual online test!

You can also use the Watch and Follow functions of Confluence to make sure that Line Managers and Space Admins are being informed of what is going on in their space.

6) Confidentiality Agreement

If you have anything tasty on your JIRA/Confluence, you may wish to draw up a confidentiality agreement and get all users to sign it before they can access.  You could do this online using surveymonkey or similar service.  You may wish to do an annual review and get all users to re-sign.

You will have to judge how you want to use the agreement:

  • just to influence users to be careful –> make a document plain English with reasonable guidelines
  • to hold them accountable in court should they abuse the system –> get a lawyer to make a huge document of legalese

Good Luck

I hope these ideas are useful to you.

If you have any good ideas, I would love to hear them – please comment!


JIRA with Kanban (Greenhopper)

Recently my work has becoming more and more project management oriented, so I have been reading a lot of books on the subject.

At the moment I am deeply interested in these two concepts:

  • The agile software development methodology Kanban
  • The psychological theory of Flow

I want to start bringing these two concepts into my team.

As I am using JIRA to manage my teams tasks, I am considering to buy the Greenhopper plugin which offers Kanban support.

Before I do so, I’d like to ask the community if anyone has any experience using Greenhopper for Kanban.  Any positive/negative experiences to share?

Migrating to Contegix JIRA Hosted: The Pros and Cons


Around 3 months ago I moved JIRA 3.11 from a self-managed Windows Server to a Linux server managed by Contegix, who are Atlassian’s server partner based in the US.

The reason for the switch was that JIRA’s server maintenance was taking up too much of my time.  I am not a server admin and was doing everything by ear, so it was time consuming and frustrating.  In addition to that, we had some problems on JIRA that seemed to be caused by the server setup, such as email alerts not sending properly and faulty database indexing.

So, it seemed sensible to outsource this job so I made the contract with Contegix.  It was quite time consuming to prepare for the move, with all our plugins especially causing a nightmare, however when the day came it actually migrated fairly well.  We had some problems with 5GB of attachment zips breaking and having to be resent (so attachments were not available at first).  Also some encoding problems came about due to our Japanese version of JIRA, thankfully Atlassian made a patch for us to fix it (Big thanks again).

As part of this blog, I thought it would be interesting for some readers to get an honest appraisal of the pros/cons moving to Contegix.

The Pros

  • Super fast service – Contegix always reply within a minute or so and usually have the job done shortly afterwards.
  • I can leave server admin to the experts. I do not have to worry about firefighting, if something happens I can just shoot off an email to Contegix and I know they will have it fixed shortly. Security is probably better.
  • It gives me someone to blame if something goes wrong. If a problem occurs, I can shout at someone else instead of myself. If an unfixable problem occurs, I can tell my colleagues (honestly) that it is Atlassian or Contegix’s fault as my own responsibility is now minimal.
  • Cost is reasonable – in our case the cost was the same as for our non-managed existing server.
  • JIRA can be upgraded very easily, I can just ask them to make a test instance and once it is running ask them to shift everything over the new version.

The Cons

  • Concurrent issues are difficult to manage. Contegix has many support staff, which may be good in some situations however for me it was a negative thing because I was had 4-5 different people working on related issues for me at the same time, and it didnt seem to be so well cordinated at the Contegix side. I often had to reexplain things to people or point them to related issues led by their colleagues. This was only an issue during the server move phase, once that was completed it has been rare for me to contact Contegix so this concurrent issue problem is unlikely to arise again.
  • Some issues do not get resolved without follow up. I found if I put multiple related requests into one email, I would end up with a random result where half of them got done and the other half didn’t. This was more likely to happen when some of the issues needed further info to resolve and so the thread of the issue got muddled.
  • Contegix themselves do not use JIRA to manage issues/support – this one surprised me a great deal. If they used JIRA, none of the problem above would have happened as I could have managed the issues using JIRA’s subtasks.
  • Contegix’s support engineers knowledge of JIRA was less than I expected. They can easily handle common requests like running over HTTPS, behind Apache etc. But some of the trickier ones like changing JIRA logging seemed to be new to them. I was a little surprised by this, but I guess they have many engineers and experience varies.

In conclusion, I have no regrets about moving to Contegix.  Since the move, I have not had to contact them at all as it has been running completely smoothly.  We also made a contract to add another server for another web application (non-Atlassian) that we needed.  However I think they ought to start using JIRA if they are serious about being Atlassians long term server partner: this would make issue management for customers easier, increase their own engineers knowledge of the product, and would show a bit of faith of Atlassians product.

How to monitor outgoing JIRA mail

Problem Background

Over the past few years, I have noticed that sometimes I do not receive an email notification from my (locally installed) JIRA.  Other users have reported the problem too, and I would estimate it happens maybe 1 in 50 times.

At this moment I am not sure whether the emails are being deleted by some spam filter (seems unlikely as most of the time they receive OK), or it is some SMTP/server setting problem, or some problem with JIRA.  I have tried looking in the mail logs, however the information recorded by my server (Win2003/IIS) is quite minimal.  JIRA log also contains no errors or useful info to track down the problem (JIRA offers no function to copy all outgoing mail to an admin address, or log all outgoing mail etc).

So I tried to find a way to fully log all outgoing JIRA mail, so next time it happens I can find the root of the problem.


I tried several software but the best solution for me was MailMonitor, it is quite reasonable at 50 EURO and it works great.

This software will log all outgoing mails to screen and to file.  So you can easily see an archive of all email contents including subject and body.  It operates at SMTP server level so it records all mail going from your server, not just from JIRA.  (incoming mail can also be logged).

The settings were a bit tricky to understand but with trial and error I managed to get it to record only outgoing mail, including body, to file.

I regularly restart my server, so it was necessary to force the problem to run and start monitoring at start – this can be done by using a Windows Scheduled Task to run “mailmonitor.exe -s”

Update (Jan 25 2010)

This mail problem has been reported to me again this morning.  I looked in the Mailmonitor log and sure enough there is no record of the email beign sent.  I am sure there is a problem with JIRA or my setup.  I am going to turn on mail debugging and see if this helps next time.

Importing JIRA data to Google Apps

Executive Summary

If you are unhappy with the way that data is displayed in the JIRA issue navigator, or when exported to Excel, you might want to try using Google Apps to display the data.

Then, you can do fancy formatting such as:

  • setting font size
  • setting font color
  • conditional formatting
  • setting column widths, etc.

…to display the data more nicely.  You simply set up a search filter in JIRA, then import the XML feed to a Google Spreadsheet.

What does it look like?

You will be able to access your nicely displayed data using a URL such as:

Your Google spreadsheet  will look something like this:


How do I do it?

JIRA side

1) Set up your JIRA search filter for the data you want to display.  You don’t need to worry about the navigator columns, as all data will exist in the XML feed.

2) Make sure JIRA allows data to be exported as XML (this can be set in JIRA adminstration section).  If you can see an ‘XML’ link above your issue navigator, then you are good to go.

3) Copy the XML URL.  Example:

Google Apps Side

4) Open a Google Apps account and create a new spreadsheet.

5) Use the importXML command to fetch your JIRA data.  Example:


  • Change the blue section with your XML feed that you copied in step 3.
  • Change the red section with your JIRA login details (see limitations and problems section below for an important warning!)
  • Change the green section with the correct xpath command to fetch the selected data value from your XML.  (You can fetch any data in the XML feed, issuekey, summary, even dates and customfields.)

6) It will now fetch the data and display like this:


Note: it is colorful because I applied conditional formatting to the column already.

7) Continue adding all the desired columns and formatting, using xpath to fetch the data.

Note that customfields are tricky – to fetch one use this xpath command:


8.) Once your spreadsheet is complete, click ‘Share’ button from top right and then ‘publish as web page’.  You can then get a URL for a static, non-editable HTML version of the spreadsheet:


PDF, Atom, CSV and other file formats are also available in addition to HTML.

9) You can now give the URL for the HTML version to your colleague to let them see the data in a nicely formatted, read only, easy to print way.

Limitations and Problems

1) A huge problem was that the source data is shown automatically at the bottom of the HTML page.  This is a problem because the XML feed contains your JIRA login details.


I could not figure how to turn this off in Google Apps, but I thought of two ways around it:

a) Create a dummy login with limited power so that if someone sees the login and figures out it can be used to login to JIRA, then they can only do limited damage.

b) Use a kind of proxy URL to hide the login details.  e.g. ( will fetch the XML for search filter 10024.

2) Google currently only allows 50 importXML statements.  I’m not sure how this is calculated (my sheet only had about 20 when I hit the limit), however it meant I was only able to import about 20 columns and 300 rows.  There may be ways around this by using another spreadsheet(s) to import the data, then a master one that combines the data from these sheets.

3) Google automatically converted some of my data to Date format.

e.g. Cell value “3/4, 1” gets converted to “3/4/2001” automatically.

In excel you can set the cell format (text, decimal, date format etc) easily, but I couldn’t see how to do this in Google Apps.  Probably you have to wrap a function round the data to convert to a specific format (or turn off auto-formatting).


Microsoft Excel from version 2003 up can also import data from an XML feed, however I was unable to import the live XML feed due to digital certificate problem that I was unable to resolve.  I also tried import the XML using a local file, but then the data was displayed illogically and I couldn’t figure out easily how to reformat it.  Google Apps however uses xpath which is much more easy to use.


Hope you found this post useful.  If you can solve any of the problems I encountered above, I would love to hear your comment!

User Activity Statistics

The Challenge

As a JIRA Administrator, probably from time to time you have to report to your superiors about usage activity.  Is the system being used?  How often?  Who are the heavy users?  Who needs a kick up the backside to use the system?

So we need a way to show a list of users, along with the number of issues they have created and commented.

It is possible to use a built in JIRA portlet to show the number of issues created by each user:

updatedTo do this, simply create a search filter showing issues created in the last 30 days, then add a new portlet to your dashboard of type ‘filter statistics’ and tell it to show this search filter along with the Reporter of each issue.

However this is not so useful because, such as in a helpdesk scenario, some users never create issues but always answer them.  So we also need some way to show the number of comments created by each user.  Unfortunately however  JIRA doesn’t offer anything out of the box.

The Solution

I asked Atlassian Support about this, and as usual they got back to me pretty quickly (within 90 minutes) with a suggestion to query the database directly.  Using the sample code they supplied, I was able to show a list of all usernames along with the number of times they had created a comment:


MySQL Code required

To show all users and number of comments:

SELECT author, count(author) as comments FROM jiraaction j group by author ORDER BY author ASC;

To show all users and number of comments this month:

SELECT author, count(author) as comments FROM jiraaction j WHERE UPDATED > "2009-01-01 00:00:00" group by author ORDER BY author ASC;

Obviously you can adjust the ORDER BY to sort it by highest number of comments rather than author name etc.

Using JIRA as a Document Library


One of the most effective ways I am using JIRA is…as a document library!

Most readers will now be thinking – “eh? why don’t you use Confluence to manage your documents?”.  Well the answer is that my companies employees are not IT-friendly, and are therefore definitely not ready for a wiki.  And when making a new intranet site, I didn’t want to confuse people by having two systems.  So I decided to pick the most convenient system for our needs, which was JIRA, and try to somehow hack it to also act as a document library.  It was tough but I managed it.

This Document Library is easily the most popular feature on our JIRA, and it is definitely the ‘killer app’ that got everyone using the system.  All our employees need access to these documents, so by moving them all to JIRA we could force them all to use it and thus encourage them to use the various collaboration projects we have.

How it works

Here is a screenshot of our ‘Document Library’ dashboard page:


Here is a close up of one of the tables on the dashboard above:


As you can  see each table contains a many hyperlinks, a bit like Craigslist.   You can do this with the ‘Text Portlet’ (it must be turned on in Administration->Plugins) from JIRA 3.12+, pre 3.12 you can use the Improved HTML plugin.  Then you can use HTML to create the tables and hyperlinks. (By the way this feature is amazing and I use it for many other things, especially for showing iframes of custom-made PHP pages to support the intranet.  It may have security issues if you allow users to use it.).

When you click on one of the hyperlinks, for example “Manuals / English / A-G”, the following issue navigator page is shown:

doc-agThe cool thing here is there is a ‘Hyperlink’ to each document displayed right here, so you dont have to open each issue to download the attachment.  You can achieve this in one of two ways:

  1. Set up a customfield of ‘URL’ type, and just insert a direct hyperlink to the file (hosted on your JIRA or on an external website).
  2. Set up a customfield of ‘single line text’ type, and in the Field Configuration options set the Renderer to WIKI.  You can then use WIKI code to put a hyperlink to a file attached to the JIRA issue.  The WIKI code is like this: [^filename.pdf]. Genius or what?  An added bonus is that you can keep updating the file (filename.pdf) and so long as you do not change the filename you never have to update the WIKI customfield, because it will automatically link to the latest version of filename.pdf.

As you can see we also use Status field to indicate if the document is active or not.  We also keep an archive of old versions of the document inside the issue.  And of course the document can be discussed inside the issue, or linked to from other JIRA projects.

Notice also that we show ‘new/updated documents’ filter on the dashboard.  This is nice to show people that we are actively updating things, and for them to stumble upon documents they may be interested in.  Of course they could make search filters for updated documents in their language, and subscribe to the filter in order to get email notifications, however they are not IT-savvy enough to do it.  But the feature is there waiting for them once they get more used to JIRA.


So that is basically it.  Sorry it is not a step by step guide, but I think this should be enough to guide you to do a similar thing.  Of course, it takes  a long time to setup all the search filters that will be linked to by your HTML tables, but once done it is done forever.  Maybe someone knows a good way to quickly setup 100’s of similar filters, but I used a temp staff to do it.   If you setup the columns you want, then you can use ‘save as’ to carry those columns across to the next search filter.