get calling application name from within custom crowd directory

Keiran Vaughan December 8, 2013
This might be obvious but I'm trying to figure out how to get the name of the calling application from within custom directory code in crowd. Basically I want to perform specific checks if the app calling crowd was apache using the connector and something else if it was stash or jira etc. Is this possible?

1 answer

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
Answer accepted
Caspar Krieger
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 10, 2013

By design, Directory implementations don't know about which application is using them. That particular information is "aggregated away" in ApplicationServiceGeneric. This is because one directory can be reused across multiple different applications (because it can be mapped to multiple different apps).

From a maintenance point of view, hard coding specific functionality for different applications is not a great idea (is there a reason why you're doing this? Ask another question), but if you insist on going down this dark path then you can hack it by having a different directory implementation for each application you're concerned about, and then mapping the apps to your custom directories as required. But again, this is not the intended or recommended way to write custom directories for Crowd.

Keiran Vaughan December 10, 2013

Yeah I figured that might be the case. Basically I was trialling a setup where I had a single gateway using Apache with the following setup:

  1. rewrite 80 to 443
  2. SSLVerify the client certificate and use +FakeBasicAuth to do as it suggests
  3. Use the crowd connector to authenticate the users dn from cert against crowd instance with SSO enabled (to set cookie header)
  4. proxy request to /stash to stash and /jira to jira on seperate hosts
  5. Stash and Jira both have sso enabled and point to same crowd

The idea is that the apache can do the certificate auth bit and authenticate users against crowd, so that by the time they reach the e.g. stash host they are already signed in with no login required.

Problem I was getting is that currently my custom crowd connector simply authenticates you using only your username because it doesnt get a password from apache ( it does but its +fakebasic auth's 'password' ), so works ok via trusted apache but if user ever gets the stash login screen appear they can just choose a login id and login as anyone else which is bad.

There are a few options I wanted to explore but I was hoping I could have the custom directory in crowd allow dn logins without password for apache, but every other app requires password which I would simply generate as random hash.

I have since read an Atlassian blog about your architecture for atlassian id, which is interesting so ive decided to try a different approach using a custom interceptor webapp to handle the authenticating using crowd api which would sit behind apache and skip the apache connector all together.

CHeers

TAGS
AUG Leaders

Atlassian Community Events