How to stop Jira/Tomcat using authentication credentials from Apache?

Mark James August 21, 2013

I want to set up two layers of password protection on the public facing version of our Jira server. The normal Jira login, and an Apache login.

I've tried various different methods and nothing's worked. The issue seems to be that when I use apache login (virtual host, proxypass to ajp connector, with auth on the proxy element) jira tries to use those credentials which fails with this error in the atlassian-jira-security.log

2013-08-22 16:38:36,161 ajp-bio-8009-exec-4 anonymous 998x427x1 1k0mhp6 10.1.11.112 /secure/MyJiraHome.jspa login : 'mark.james' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

If i add a user to apache auth with the same username and password as a jira account it works ok (but then there's only 1 level of login.)

i've tried setting tomcatAuthentication="true" on the connector but it made no diff (true is the default value anyway.)

any suggestions/help much appreciated,

mark

4 answers

0 votes
Valentijn Scholten
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 5, 2014

Shouldn't you put the Auth config outside of the Proxy tag?

Don't if that helps, but maybe it prevents Apache from sending the username/password to jira.

0 votes
Gerrit Griebel March 4, 2014

I added basic auth to Apache. As long as I had a valid cookie everything was fine, I entered the basic credentials could access Jira. But after logging off from Jira, I got the same problem and was never able to login again.

0 votes
CelsoA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 5, 2013

Hi Mark,

Could you please add your virtual host here?

This way I can try to reproduce the scenario and help you.

Regards,

Celso Yoshioka

Atlassian Support

Mark James September 5, 2013
<VirtualHost *:443>

    ServerName  jira....
    ServerAdmin mark.james@...

    SSLEngine on
    SSLCipherSuite ALL:!LOW:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP

    SSLCertificateFile         /etc/ssl/jira...crt
    SSLCertificateKeyFile   /etc/ssl/jira...key

    ProxyPass               /    ajp://localhost:8009/
    ProxyPassReverse   /    ajp://localhost:8009/

    <Proxy *>
        AuthType Basic
        AuthName "Jira"
        AuthUserFile /etc/apache2/passwd/users        
        Require valid-user
    </Proxy>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

0 votes
CelsoA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 29, 2013

Hi there,

How is configured your apache vhost?

My shoot was going to add these on apache virtual host:

<Proxy *>

Order deny,allow

Allow from all

AuthType Basic

AuthName "Password Required"

AuthUserFile password.file

AuthGroupFile group.file

Require group usergroup

</Proxy>

Which environment are you using? because this lines above will need a .htpasswd file to be created, but depending on the environment the creating of this file will be different.

Please five it a try and let me know how it goes.

Mark James September 4, 2013

Hi Celso, Thanks for the help, my vhost is configured as above (I've tried various different approaches) and that works fine, apache handles the auth and if i proxy to a test site all is fine, the problem is when i proxy to tomcat it must be using the http header credentials that apache handled. even with the directive tomcatAuthentication="true" which should tell tomcat to do it's own auth, not use apache's. My suspicion is that Jira is bypassing that directive and using the same headers as apache, so as they already exist it's failing because the uid/pw are wrong.

Suggest an answer

Log in or Sign up to answer