Jira 5.2 Seraph SSO Go For Reverse Proxy

Question

Jira 5.2 Seraph SSO Go For Reverse Proxy

Since after a few days I try to enable SSO for Jira 5.2 and find out that the help page from Jira is out of date.

In each example, the old version of atlassian-seraph is used (Jira 5.2 uses 2.6.0).

Purpose: I want to automatically log in to Jira if I log in to Webseal (reverse proxy).

Background:

sequence diagram

Jira is behind the reverse proxy (see picture).
This proxy authenticates the user and holds the session.
If I logged in, I also want to log in to Jira
The only information provided is the username.

Question:

How to write a user login module that reads the username from http_header and authenticates the user?

References:

+8

reverse-proxy single-sign-on jira webseal

Tobias sarnow Apr 29 '13 at 7:44

source share

2 answers

I am not familiar with Jira authentication, but I understand SiteMinder / WebSeal authentication well.

Both systems authenticate the user and send the username in the HTTP header. You can customize the name of the HTTP header. In addition, they can send additional user properties, such as user email in additional HTTP headers. To authenticate the user behind SiteMinder / WebSeal, you only need an HTTP header and create an application session using the username from the header.

You can definitely solve this at Jira. You have 2 options:

To use the already created SiteMinder authenticator: https://confluence.atlassian.com/display/DEV/SiteMinder+Custom+Seraph+Authenticator+for+Confluence The problem is that I could not find how to configure the HTTP header name for the username header . Assuming the uid header name You need to configure the uid header in WebSeal or try to get sources and customize the header name.
Enter your own authenticator according to your link: http://docs.atlassian.com/atlassian-seraph/latest/sso.html Get the username using the code httpServletRequest.getHeader(userNameHeaderName);

+1

Michael Apr 29 '13 at 10:07

source share

Tobias sarnow · Accepted Answer · 2013-05-22T07:23:19+0000

In the end, I figured it out myself:

You need a custom authenticator

public class MyCustomAuthenticator extends DefaultAuthenticator { protected boolean authenticate(Principal user, String password) throws AuthenticatorException { return true; } protected Principal getUser(String username) { return getCrowdService().getUser(username); } private CrowdService getCrowdService() { return (CrowdService)ComponentManager.getComponent(CrowdService.class); } }

Add MyCustomAuthenticator to seraph-config.xml

 <authenticator class="com.company.jira.MyCustomAuthenticator"/>

Write a custom filter to set the username from the http header

 public class CustomFilter extends PasswordBasedLoginFilter { @Override protected UserPasswordPair extractUserPasswordPair( HttpServletRequest request) { String username = request.getHeader("iv-header"); if (username != null && username.trim().length() != 0) { return new PasswordBasedLoginFilter.UserPasswordPair( username, "DUMMY", false); } return null; } }

Replace the filter in web.xml

 <filter> <filter-name>login</filter-name> <filter-class>com.company.jira.CustomFilter</filter-class> </filter>

These jars are required for Jira 5.2

submerged crowd api-2.6.2
JIRA-kernel-5.2.1
Atlassian-seraph-2.6.0

Jira 5.2 Seraph SSO Go For Reverse Proxy

More articles: