Jira 5.2 Seraph SSO Login behind reverse proxy

Question

Since a few days I'm trying to enable SSO for Jira 5.2 and figured out, that the help page from Jira is outdated.

Each example uses an old version of atlassian-seraph (Jira 5.2 uses 2.6.0).

Goal: I want to get automatically logged in into Jira if I'm logged in into Webseal (reverse proxy).

Background:

• Jira is behind a reverse proxy (see picture).
• This proxy authentificatates the user and holds the session.
• If I'm logged in I want to be logged in in Jira, too
• The only information provided is the user name

Question:

How to write a custom login module that reads the username from http_header and authentificates the user?

Links:

• https://confluence.atlassian.com/display/DEV/Single+Sign-on+Integration+with+JIRA+and+Confluence
• http://docs.atlassian.com/atlassian-seraph/latest/sso.html
• https://answers.atlassian.com/questions/23245/how-to-integrate-jira-with-my-company-s-sso

Answer 1

In the end i figured it out by myself:

1. You need a custom authenticator

   public class MyCustomAuthenticator extends DefaultAuthenticator {
   
     protected boolean authenticate(Principal user, String password)
       throws AuthenticatorException {
       return true;
     }
   
     protected Principal getUser(String username) {
      return getCrowdService().getUser(username);
     }
   
     private CrowdService getCrowdService() {
       return (CrowdService)ComponentManager.getComponent(CrowdService.class);
     }
   }
   

2. Add the MyCustomAuthenticator to seraph-config.xml

   <authenticator class="com.company.jira.MyCustomAuthenticator"/>
   

3. Write a Custom Filter to set the user name from http-header

   public class CustomFilter extends PasswordBasedLoginFilter {
   
       @Override
       protected UserPasswordPair extractUserPasswordPair(
           HttpServletRequest request) {
           String username = request.getHeader("iv-header");
   
           if (username != null && username.trim().length() != 0) {
               return new PasswordBasedLoginFilter.UserPasswordPair(
                   username, "DUMMY", false);
           }
           return null;
       }
   }
   

4. Replace the filter within the web.xml

   <filter>
      <filter-name>login</filter-name>
      <filter-class>com.company.jira.CustomFilter</filter-class>
    </filter>
   

These jar's are needed for Jira 5.2

• embedded-crowd-api-2.6.2
• jira-core-5.2.1
• atlassian-seraph-2.6.0

Answer 2

I am not familiar with Jira authentication, but I do understand well the SiteMinder/ WebSeal authentication.

Both systems authenticate user and send the user name in an HTTP header. The name of HTTP header can be configured. Also, they can send additional user properties, like the user email in the additional HTTP headers. TO authenticate a user behind SiteMinder/ WebSeal it is just required to take the HTTP header and to create an application session using the user name from the header.

You definitely can solve it in Jira. You have 2 options:

1. To use already created SiteMinder authenticator: https://confluence.atlassian.com/display/DEV/SiteMinder+Custom+Seraph+Authenticator+for+Confluence The problem that I did not find how to configure the HTTP header name for the user name header. It assumes that the header name is uid You need to configure the header uid in WebSeal or try to obtain sources and make the header name configurable.
2. Implement your own authenticator according to your link: http://docs.atlassian.com/atlassian-seraph/latest/sso.html Obtain the user name using the code httpServletRequest.getHeader(userNameHeaderName);