How can I have users log into crowd without using the login page?

kieran snapes April 10, 2017

I have crowd running on apache, where apache is authorising our users based on their certificates. 

Is there a way that I can get around the need for a user to login with their username and password as they are already trusted at this point?
I could just pass the user's name from the cert

Would I need to write a plugin to do this? If so, what kind?

TLDR: I want to remove user validation as I already trust my users based on their certs. 

2 answers

1 accepted

1 vote
Answer accepted
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 11, 2017

You will actually need to write some code but it is quite straight forward. Crowd's REST API allows you to authenticate a user without validating the password by setting the validate-password parameter to false when creating a new SSO token.

Please take a look at the REST API reference: https://docs.atlassian.com/atlassian-crowd/latest/REST/#usermanagement/1/session-authenticateUser

Then, all you need to do is add the newly created SSO token to your client's HTTP requests.

kieran snapes April 11, 2017

Thanks!

What kind of plugin do you think would be best suited to implement a call out to the REST API?

I was thinking servlet filter as it allows you to make use of the before-dispatch option.
However, this will be my first plugin to develop so I'm not 100% on where I should start.

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 11, 2017

I do agree with you, this is what servlet filters are made for! But you'll have to add the SSO token as a Crowd cookie at the beginning of the filter chain so the value of the location parameter should be before-login.

(If not already done, please check Atlassian's documentation at https://developer.atlassian.com/display/CROWDDEV/Servlet+Filter+Module)

kieran snapes April 11, 2017

To create the SSO token is it as simple as grabbing the token from  this API call? - 
https://docs.atlassian.com/atlassian-crowd/latest/REST/#usermanagement/1/session-authenticateUser

and in terms of adding the token as a crowd cookie, do we need to use an API to add it?

This is all really helpful, thanks again

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 11, 2017

Yes, it is that simple!

Just add the cookie to the HTTP request, no special API required here. Something like

Cookie crowdCookie = new Cookie("crowd.token_key", crowdSSOToken);
request.addCookie(crowdCookie);

will do!

kieran snapes April 26, 2017

Bit of a delay in replying.. But one more question.

I have the plugin working and am able to do a POST to authenticate the user and generate a token. I then add the token to the crowd.token_key cookie as you said above. 

However, I am seeing two cookies now, both  crowd.token_key, my one and another random one. 

I'm applying the filter to url /console/login.action, but it always prompts me to log in, and then pushes me back to the login page again. 

Basically I think the crowd cookie isn't being applied in all the right places, instead the other cookie i mentioned is. 

Any ideas on how to set the cookie in all the places I need?

Cheers, 

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 27, 2017

I'm not sure about what's going on here, I mean getting a second Crowd cookie. I suggest that you set the log level of com.atlassian.crowd to DEBUG in Settings > Logging & profiling > Logging so as to understand why your first cookie does not seem to be taken into account here (this might have something to do with the validation factors).

You might also be right about the cookie's path and need to explicitly set it to "/", something like:

Cookie crowdCookie = new Cookie("crowd.token_key", crowdSSOToken);
crowdCookie.setPath("/");
crowdCookie.setHttpOnly(true);
crowdCookie.setMaxAge(-1);
request.addCookie(crowdCookie);

I also think you should apply the filter to "/console/*", not just "/console/login.action" which is already a redirection URL (since your plugin makes you get a valid Crowd cookie you shouldn't be redirected to the login form).

0 votes
kieran snapes April 27, 2017

Also wondering if it makes sense to use this class to do the work for me?

https://docs.atlassian.com/crowd/2.8.0/com/atlassian/crowd/integration/http/CrowdHttpAuthenticator.html#getToken(javax.servlet.http.HttpServletRequest)

 

method - authenticateWithoutValidatingPassword seems to authenticate and add the token to the response/request on its own.

 

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 27, 2017

Well, the thing is Atlassian might change this class in its Java API someday so it's probably not a bad thing to stick to the REST API.

kieran snapes April 27, 2017

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events