How to stop Jira/Tomcat using authentication credentials from Apache?

I want to set up two layers of password protection on the public facing version of our Jira server. The normal Jira login, and an Apache login.

I've tried various different methods and nothing's worked. The issue seems to be that when I use apache login (virtual host, proxypass to ajp connector, with auth on the proxy element) jira tries to use those credentials which fails with this error in the atlassian-jira-security.log

2013-08-22 16:38:36,161 ajp-bio-8009-exec-4 anonymous 998x427x1 1k0mhp6 10.1.11.112 /secure/MyJiraHome.jspa login : 'mark.james' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

If i add a user to apache auth with the same username and password as a jira account it works ok (but then there's only 1 level of login.)

i've tried setting tomcatAuthentication="true" on the connector but it made no diff (true is the default value anyway.)

any suggestions/help much appreciated,

mark

4 answers

Hi there,

How is configured your apache vhost?

My shoot was going to add these on apache virtual host:

<Proxy *>

Order deny,allow

Allow from all

AuthType Basic

AuthName "Password Required"

AuthUserFile password.file

AuthGroupFile group.file

Require group usergroup

</Proxy>

Which environment are you using? because this lines above will need a .htpasswd file to be created, but depending on the environment the creating of this file will be different.

Please five it a try and let me know how it goes.

Hi Celso, Thanks for the help, my vhost is configured as above (I've tried various different approaches) and that works fine, apache handles the auth and if i proxy to a test site all is fine, the problem is when i proxy to tomcat it must be using the http header credentials that apache handled. even with the directive tomcatAuthentication="true" which should tell tomcat to do it's own auth, not use apache's. My suspicion is that Jira is bypassing that directive and using the same headers as apache, so as they already exist it's failing because the uid/pw are wrong.

Hi Mark,

Could you please add your virtual host here?

This way I can try to reproduce the scenario and help you.

Regards,

Celso Yoshioka

Atlassian Support

&lt;VirtualHost *:443&gt;

    ServerName  jira....
    ServerAdmin mark.james@...

    SSLEngine on
    SSLCipherSuite ALL:!LOW:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP

    SSLCertificateFile         /etc/ssl/jira...crt
    SSLCertificateKeyFile   /etc/ssl/jira...key

    ProxyPass               /    ajp://localhost:8009/
    ProxyPassReverse   /    ajp://localhost:8009/

    &lt;Proxy *&gt;
        AuthType Basic
        AuthName "Jira"
        AuthUserFile /etc/apache2/passwd/users        
        Require valid-user
    &lt;/Proxy&gt;

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined

&lt;/VirtualHost&gt;

I added basic auth to Apache. As long as I had a valid cookie everything was fine, I entered the basic credentials could access Jira. But after logging off from Jira, I got the same problem and was never able to login again.

Shouldn't you put the Auth config outside of the Proxy tag?

Don't if that helps, but maybe it prevents Apache from sending the username/password to jira.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,760 views 11 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot