How to stop Jira/Tomcat using authentication credentials from Apache?

I want to set up two layers of password protection on the public facing version of our Jira server. The normal Jira login, and an Apache login.

I've tried various different methods and nothing's worked. The issue seems to be that when I use apache login (virtual host, proxypass to ajp connector, with auth on the proxy element) jira tries to use those credentials which fails with this error in the atlassian-jira-security.log

2013-08-22 16:38:36,161 ajp-bio-8009-exec-4 anonymous 998x427x1 1k0mhp6 10.1.11.112 /secure/MyJiraHome.jspa login : 'mark.james' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

If i add a user to apache auth with the same username and password as a jira account it works ok (but then there's only 1 level of login.)

i've tried setting tomcatAuthentication="true" on the connector but it made no diff (true is the default value anyway.)

any suggestions/help much appreciated,

mark

4 answers

Hi there,

How is configured your apache vhost?

My shoot was going to add these on apache virtual host:

<Proxy *>

Order deny,allow

Allow from all

AuthType Basic

AuthName "Password Required"

AuthUserFile password.file

AuthGroupFile group.file

Require group usergroup

</Proxy>

Which environment are you using? because this lines above will need a .htpasswd file to be created, but depending on the environment the creating of this file will be different.

Please five it a try and let me know how it goes.

Hi Celso, Thanks for the help, my vhost is configured as above (I've tried various different approaches) and that works fine, apache handles the auth and if i proxy to a test site all is fine, the problem is when i proxy to tomcat it must be using the http header credentials that apache handled. even with the directive tomcatAuthentication="true" which should tell tomcat to do it's own auth, not use apache's. My suspicion is that Jira is bypassing that directive and using the same headers as apache, so as they already exist it's failing because the uid/pw are wrong.

Hi Mark,

Could you please add your virtual host here?

This way I can try to reproduce the scenario and help you.

Regards,

Celso Yoshioka

Atlassian Support

&lt;VirtualHost *:443&gt;

    ServerName  jira....
    ServerAdmin mark.james@...

    SSLEngine on
    SSLCipherSuite ALL:!LOW:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP

    SSLCertificateFile         /etc/ssl/jira...crt
    SSLCertificateKeyFile   /etc/ssl/jira...key

    ProxyPass               /    ajp://localhost:8009/
    ProxyPassReverse   /    ajp://localhost:8009/

    &lt;Proxy *&gt;
        AuthType Basic
        AuthName "Jira"
        AuthUserFile /etc/apache2/passwd/users        
        Require valid-user
    &lt;/Proxy&gt;

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined

&lt;/VirtualHost&gt;

I added basic auth to Apache. As long as I had a valid cookie everything was fine, I entered the basic credentials could access Jira. But after logging off from Jira, I got the same problem and was never able to login again.

Shouldn't you put the Auth config outside of the Proxy tag?

Don't if that helps, but maybe it prevents Apache from sending the username/password to jira.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Thursday in Jira

5 ways you can make the most of Jira Software and Bitbucket Cloud

As part of the Bitbucket product team I'm always interested in better understanding what kind of impact the use of our tools have on the way you work. In a recent study we conducted of software devel...

64 views 0 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you