How to stop Jira/Tomcat using authentication credentials from Apache?

I want to set up two layers of password protection on the public facing version of our Jira server. The normal Jira login, and an Apache login.

I've tried various different methods and nothing's worked. The issue seems to be that when I use apache login (virtual host, proxypass to ajp connector, with auth on the proxy element) jira tries to use those credentials which fails with this error in the atlassian-jira-security.log

2013-08-22 16:38:36,161 ajp-bio-8009-exec-4 anonymous 998x427x1 1k0mhp6 10.1.11.112 /secure/MyJiraHome.jspa login : 'mark.james' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

If i add a user to apache auth with the same username and password as a jira account it works ok (but then there's only 1 level of login.)

i've tried setting tomcatAuthentication="true" on the connector but it made no diff (true is the default value anyway.)

any suggestions/help much appreciated,

mark

4 answers

This widget could not be displayed.

Hi there,

How is configured your apache vhost?

My shoot was going to add these on apache virtual host:

<Proxy *>

Order deny,allow

Allow from all

AuthType Basic

AuthName "Password Required"

AuthUserFile password.file

AuthGroupFile group.file

Require group usergroup

</Proxy>

Which environment are you using? because this lines above will need a .htpasswd file to be created, but depending on the environment the creating of this file will be different.

Please five it a try and let me know how it goes.

Hi Celso, Thanks for the help, my vhost is configured as above (I've tried various different approaches) and that works fine, apache handles the auth and if i proxy to a test site all is fine, the problem is when i proxy to tomcat it must be using the http header credentials that apache handled. even with the directive tomcatAuthentication="true" which should tell tomcat to do it's own auth, not use apache's. My suspicion is that Jira is bypassing that directive and using the same headers as apache, so as they already exist it's failing because the uid/pw are wrong.

This widget could not be displayed.

Hi Mark,

Could you please add your virtual host here?

This way I can try to reproduce the scenario and help you.

Regards,

Celso Yoshioka

Atlassian Support

&lt;VirtualHost *:443&gt;

    ServerName  jira....
    ServerAdmin mark.james@...

    SSLEngine on
    SSLCipherSuite ALL:!LOW:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP

    SSLCertificateFile         /etc/ssl/jira...crt
    SSLCertificateKeyFile   /etc/ssl/jira...key

    ProxyPass               /    ajp://localhost:8009/
    ProxyPassReverse   /    ajp://localhost:8009/

    &lt;Proxy *&gt;
        AuthType Basic
        AuthName "Jira"
        AuthUserFile /etc/apache2/passwd/users        
        Require valid-user
    &lt;/Proxy&gt;

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined

&lt;/VirtualHost&gt;

This widget could not be displayed.

I added basic auth to Apache. As long as I had a valid cookie everything was fine, I entered the basic credentials could access Jira. But after logging off from Jira, I got the same problem and was never able to login again.

This widget could not be displayed.

Shouldn't you put the Auth config outside of the Proxy tag?

Don't if that helps, but maybe it prevents Apache from sending the username/password to jira.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted 12 hours ago in Jira

Atlassian Research Workshop opportunity on Sep. 28th in Austin, TX

We're looking for participants for a workshop at Atlassian! We need Jira admins who have interesting custom workflows, issue views, or boards. Think you have a story to sha...

35 views 1 2
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you