According to this REST page:
https://developer.atlassian.com/display/BAMBOODEV/Using+the+Bamboo+REST+APIs

You should be able to login to REST via a URL request by using the following scheme:
"http://host:8085/rest/api/latest/plan?os_authType=basic&os_username=<user>&os_password=<pw>"

This worked fine for us before we upgraded to 5.4.1. After we upgraded, this request would produce a 403 Unauthorized Access error. We noticed the XSRF setting and tried disabling the protection. After the protection was disabled, the same URL request worked.

Our bamboo instance runs in a private environment so this does not pose any immediate risk to us, but it doesn't appear to be the intended behavior. Is the intention to obsolete the basic URL authorization? If so, the above page should be updated.