thinking about implementing my own SSO authentication plugin, found the paid plugin for SAML SSO support which is (due to missing support for encrypted requests / callbacks) not applicable to me.
While from the common seraph documentation, any SSO authentication module has to be configured on server side, see https://docs.atlassian.com/atlassian-seraph/latest/sso.html or https://confluence.atlassian.com/x/iIP6D
The interesting part:
In the documentation of the paid plugin it reads like it is able to define a login-redirect URL by some magic in the plugin code only, without any need for any server / installation manipulation on install
https://resolution.atlassian.net/wiki/x/BIDh
If "redirect login requests" is activated in the plugin configuration page, Confluence/JIRA redirects the user to the servlet at https://<baseurl>/plugins/servlet/samlsso.
Otherwise, the servlet URL has to be called explicitly to perform SSO.
tl;dr: can I and if yes how to define a login redirect to a custom login / SSO URL from within plugin code when user access any restricted content?
(yes, I'm aware of the question https://answers.atlassian.com/questions/30949900 but this only clarifies how to force the redirect if user access plugin assets without authorization, it doesn't answer how to define the redirect URL "dynamically")
Community moderators have prevented the ability to post new answers.
I am getting compilation error while using your suggestion.
importing SecSignIDConstants is not working
is not working. What do I need to add in pom.xml
@Subhajit BhuiyaSorry but of course you are getting compile errors because this is just an example out of our class, so there are dependencies which cannot be resolved.
The example shall just show how to realise a redirect and the redirect ist:
if(...){
httpServletResp.sendRedirect("http:/some-url");
}
To be check the condition the example is implemented in a servlet filter which must be declared in the atlassian-plugin.xml.
What we did in our SecSign ID Plugin we added the filter to filter every url, I mean every single request as you can see in the snipppet for the atlassian-plugin.xml.
Than in your java class you can override the doFilter method:
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { ...
}
Depending what you have defined in your atlassian-plugin.xml this will be called every single request.
Than we check whether the request is a login page and if a user is logged:
// // check whether a user is logged in or not // Object appUserObject = session.getAttribute(DefaultAuthenticator.LOGGED_IN_KEY); UserProfile userProfile = null; if(appUserObject == null){ userProfile = userManager.getRemoteUser(httpServletReq); } if(appUserObject != null || userProfile != null){
There are another posibillities like filtering the response first and then parse the response if there is a login form. But I am not sure if you can send a redirect when calling
filterChain.doFilter(request, response);
first. So we decided to filter/check the url in our 2FA addons.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can create a servlet filter in your atlassian-plugin.xml which then checks whether a user needs to login.
In this case you can just redirect the requested url to any url you like. Doing so you can implement a servlet which serves the url you redirect to.
For example the implemented redirect:
This is a snippet from my atlassian-plugin.xml
<servlet-filter name="SecSignIDAuthenticationFilter" key="com.secsign.jira.servlet.filter.SecSignIDAuthenticationFilter" class="com.secsign.jira.servlet.filter.SecSignIDAuthenticationFilter" location="before-login" weight="200"> <description>SecSign ID Filter</description> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </servlet-filter>
and the implementation of the sevlet filter:
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpServletReq = (HttpServletRequest) request; String requestUri = httpServletReq.getRequestURI(); if(requestUri.contains(SecSignIDConstants.JIRA_DASHBOARD_JSP_PATH){ HttpServletResponse httpServletResp = (HttpServletResponse) response; HttpSession session = httpServletReq.getSession(); // // check whether a user is logged in or not // Object appUserObject = session.getAttribute(DefaultAuthenticator.LOGGED_IN_KEY); UserProfile userProfile = null; if(appUserObject == null){ userProfile = userManager.getRemoteUser(httpServletReq); } if(appUserObject != null || userProfile != null){ // a user is already logged in. nothing else to do? if(requestUri.contains(SecSignIDConstants.JIRA_LOGIN_JSP_PATH)){ httpServletResp.sendRedirect(SecSignIDAuthenticationFilter.getJiraBaseUrl(httpServletReq)); } else { // a user is logged in and the login path was not called explicitly. just finish the filter chain filterChain.doFilter(httpServletReq, httpServletResp); } return; } // // Check whether a login process is currently processed // if(httpServletReq.getParameter(SecSignIDConstants.JIRA_LOGIN_FORM_SUBMIT_PARAM_NAME) != null && httpServletReq.getParameter(SecSignIDConstants.JIRA_LOGIN_USER_PARAM_NAME) != null && httpServletReq.getParameter(SecSignIDConstants.JIRA_LOGIN_PWD_PARAM_NAME) != null){ // user currently logs in using the default username/password form filterChain.doFilter(request, response); return; } // sent redirect to our servlet httpServletResp.sendRedirect(jiraBaseUrl + SecSignIDConstants.SECSIGNID_SERVLET_PATH); // redirect was sent. nothing else to do. there is no need to go up the filter chain. return; } // no need for a redirect, just go through the normal filters of the servlet filterChain.doFilter(request, response); }
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello everyone,
I am facing the exact same problem with integrating Jira with OAuth 2.0. Do you mind posting the rest of your class, please? It would be very helpful here, thank you!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I don't know specifically about SSO (if you do find out please share!). How about use a servlet-filter to protect your assets and redirect to some xxx url if requirements are not met?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Community moderators have prevented the ability to post new answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.