single-sign-onjirareverse-proxywebseal

Jira 5.2 Seraph SSO Login behind reverse proxy


Since a few days I'm trying to enable SSO for Jira 5.2 and figured out, that the help page from Jira is outdated.

Each example uses an old version of atlassian-seraph (Jira 5.2 uses 2.6.0).

Goal: I want to get automatically logged in into Jira if I'm logged in into Webseal (reverse proxy).

Background:

sequence diagram

Question:

How to write a custom login module that reads the username from http_header and authentificates the user?

Links:


Solution

  • In the end i figured it out by myself:

    1. You need a custom authenticator

      public class MyCustomAuthenticator extends DefaultAuthenticator {
      
        protected boolean authenticate(Principal user, String password)
          throws AuthenticatorException {
          return true;
        }
      
        protected Principal getUser(String username) {
         return getCrowdService().getUser(username);
        }
      
        private CrowdService getCrowdService() {
          return (CrowdService)ComponentManager.getComponent(CrowdService.class);
        }
      }
      
    2. Add the MyCustomAuthenticator to seraph-config.xml

      <authenticator class="com.company.jira.MyCustomAuthenticator"/>
      
    3. Write a Custom Filter to set the user name from http-header

      public class CustomFilter extends PasswordBasedLoginFilter {
      
          @Override
          protected UserPasswordPair extractUserPasswordPair(
              HttpServletRequest request) {
              String username = request.getHeader("iv-header");
      
              if (username != null && username.trim().length() != 0) {
                  return new PasswordBasedLoginFilter.UserPasswordPair(
                      username, "DUMMY", false);
              }
              return null;
          }
      }
      

    4. Replace the filter within the web.xml

      <filter>
         <filter-name>login</filter-name>
         <filter-class>com.company.jira.CustomFilter</filter-class>
       </filter>
      

    These jar's are needed for Jira 5.2