Jamf Nation Community

Check the account you are actually logging in as because yes you can hit that url unauthenticated but all you see is the api documentation/examples. The moment you try to click one of the "try it out" buttons, etc, to actually test it and query the API it will ask you for authentication. If you use an account that DOESN'T have API access rights in the JSS it won't give you any information back..

@chriscollins I just tested it, not logged in to the JSS, went to the URL, read a full computer record with no authentication prompts.

A simply workaround would be to add a . (period) in front of the index html to make in non accessible.

Linux:

sudo mv /path/to/JSS/Tomcat/webapps/ROOT/api /path/to/JSS/Tomcat/webapps/ROOT/.api/

Windows or Mac:

/path/to/JSS/Tomcat/webapps/ROOT/api/.index

Notice the period (.) in front of api for Linux and the . in front of index for Windows and Mac. Or you could just remove the index.htm from the path.

That is just a workaround and not really a fix.

On a side note, I just tested our api site and everything is working as expected. Prompts for user/password if any action is attempted.

@davidacland I just tested it and am seeing the complete opposite behavior. I have to authenticate as an API privileged user or else I can't get any information back. I have always seen this behavior as well so not sure what the deal is.

@chriscollins I'm going to test it on another Mac I've never logged into before as its quite likely something is cached on my machine!

@chriscollins All is well on another Mac, I was prompted to authenticate and no details come through if I cancel it. Logging out of the JSS in Safari must not be enough.

Thanks, I can relax now!

@davidacland ah yeah David, I am 99% sure that the reason why logging out of the JSS from the admin page doesn't work is because the /api/ area has its own authentication session separate from the admin console (much like how /enroll has a different one than the admin interface). You will notice that if you log into the JSS, then go to the /api url and try to run a query it will ask you to authenticate again (assuming you haven't logged into it yet obviously). When you log out of the JSS admin interface, it doesn't log you out of the /api session. Since there is no logout button that I can see on that api page, the only way to get that session to close out is to close down the browser completely.

Just thought it might be good info for others to know that if they did log into that section and logged out of the admin console, that wouldn't stop somebody from navigating to that /api url on their machine and having full access to that api page.

If desired the API page can be disabled as well so that it does not show when a user hits that site. There is a line that can be added to the web.xml file on the tomcat server that disables the page. Mike Paul describes the process here

https://jamfnation.jamfsoftware.com/featureRequest.html?id=2853