Jasig CAS client and JIRA not working

I was trying to get this setup iusing souldwing but then reading that its no longer being developed I moved to Jasig CAS client (https://wiki.jasig.org/display/CASC/Configuring+Jira+with+JASIG+CAS+Client+for+Java+3.1).

Problem is i cannot get it to work, i've followed instructions on the above but after starting service it will not connect to my JIRA instance. Just get page cannot be found. I remove the CAS stuff ad it works fine.

I'm of course doing something worng maybe i have this in the worng format or am following worng instructions, any help is appreciated

JIRA 5.2.5


9 answers

1 accepted

We have fully working installation of JIRA 5.2 with CAS authentification. I have attached diff file containing configuration changes and requires jars - apply it to your jira installation directory - it is git based patch, so this answer should apply.

Of course don't forget to change https://sso.mycompany.com with URL of your CAS server.

Update: attachment went to the hell - so here it is as GIST

Hi Jozef,

We're currently running JIRA 5.2.7 with CAS authentication and planing to upgrade to JIRA 6.1.1. Are there any issues if we use the CAS authentication for 5.2.7? THANKS!

I have the same problem.

if you look at the logs, catalina.out, you may see this item:

2013-02-01 09:47:45,532 Spring executor 4 ERROR [plugin.osgi.factory.OsgiPlugin] Unable to start the Spring context for plugin com.atlassian.sal.jira
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationController' defined in URL [bundle://84.0:0/META-INF/spring/atlassian-plugins-components.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class [com.atlassian.sal.core.auth.SeraphAuthenticationController]: Constructor threw exception; nested exception is java.lang.NoClassDefFoundError: com/opensymphony/user/EntityNotFoundException

That is all debug I get from this issue.

Well... I have tried to understand this for few days. No luck. I assume, that default 5.2.5 installation has something configured that tries to use default authenticator class. I am not sure. This also happens with 5.0.7.

I have used released cas libraries and the ones I build from the git trunk. No success.

This is sort of an dead end. I will probably end up creating a ticket for this.

You definitely need to raise this with the authors.

One thing that sticks out to me in the logs - com/opensymphony/user. Jira has NOT used that since 4.2, so my instincts are screaming that you're using a plugin that is for 4.2 or lower.

It may be that the plugin does things with opensymphony internally, but I'm not familiar with it, so I'm guessing.

Unfortunately the JIRA support is limited with this as it is not their product,

This is what i got from support:

"Hello,

Thank you for contacting Atlassian support. I'm afraid that CAS integration falls out of the scope of this support channel as it is a third-party system. More information can be found in this article.

The only SSO solution supported by Atlassian is Crowd application. However, after a research at answers.atlassian.com (which is our community network) I found this question that contains some links and clarifications about CAS integration.

Additionally, we were informed by one of our customer that there is a bug in CAS 3.2.1 that can prevent JIRA to pick the <tt>netid</tt> information. This is suppose to be fixed in CAS 3.3. You may need to modify your CAS module to apply this update.

So i guess for now i'm stuck with no CAS integration until 3.3 is released.

I was a bit mislead by the instructions given by JASIG JIRA 3.1 installation. I had the wrong authenticator, one should use 44Cas version. I suppose. I mean this part:

&lt;authenticator class="org.jasig.cas.client.integration.atlassian.Jira44CasAuthenticator"/&gt;

I do not get it working though. I removed:

&lt;service class="com.atlassian.seraph.service.WebworkService"&gt;
            &lt;init-param&gt;
                &lt;param-name&gt;action.extension&lt;/param-name&gt;
                &lt;param-value&gt;jspa&lt;/param-value&gt;
            &lt;/init-param&gt;
        &lt;/service&gt;

        &lt;service class="com.atlassian.jira.plugin.webwork.WebworkPluginSecurityService"&gt;
            &lt;init-param&gt;
                &lt;param-name&gt;action.extension&lt;/param-name&gt;
                &lt;param-value&gt;jspa&lt;/param-value&gt;
            &lt;/init-param&gt;
        &lt;/service&gt;

from seraph-config.xml and the JIRA starts now.

But does not seem to do any queries to cas server. And I am using 3.3 from the trunk.

Too much confusion here - I just end up testing blindly everything. I have no idea what the actual problem is - is it changes within JIRA or something to do with CAS 3.3.

Hi, I've resolved this issue with Jira 5.2.8: you need to modify a class name, from com.atlassian.jira.plugin.webwork.WebworkPluginSecurityService to com.atlassian.jira.plugin.webwork.JiraSeraphSecurityService in your seraph-config.xml.

Got it working with the patch, so thanks! You saved me, really, from going nuts. Had to tweak patch a bit, few white spaces are not same in the patch as they are in the standalone 5.2.0 or 5.2.5 that I tested. Used git apply ..., not patch -p1 < ....

Raised a bit more questions too. You must have different version or some build variables, because only thing different could have been cas- -jars. I also had some mystical problems which dissapeared with clean new test install.

So 5.2.5 works, with the patch.

Hi all, just for the information, JIRA 6-ml10 works too.

We got it working with Jira 6 as well using the lastest java cas jar files (3.3) from the github repository. We imported the lastest code into Eclipse and then used Maven to build the jars.

Plus be sure to use the following authenticator instead of the one in the guides:

<authenticator class="org.jasig.cas.client.integration.atlassian.Jira44CasAuthenticator"/>

Hi all, just installed JIRA606 and I need integrate the authentication with CAS 3.5.1. I followed the official documentation but without disabled the default JIRA authentication (JiraSeraphAuthenticator), if disable it the startup process failed (cas_error.txt).

A result of this error, I tried to maintain the Seraph enabled with the atlassianCasClient and the CAS authentication WORKS!!!, but when I logon the JiraSeraphAuthenticator authentication reorders.

This is my JIRA6 (jira_cas_foro.txt) .

Thanks for all

CAS INTEGRATION:
https://wiki.jasig.org/display/CASC/Configuring+Jira+with+JASIG+CAS+Client+for+Java+3.1

cp -pr cas-client-integration-atlassian-3.2.1.jar /usr/local/etc2/jira606/atlassian-jira/WEB-INF/lib/
cp -pr cas-client-core-3.2.1.jar /usr/local/etc2/jira606/atlassian-jira/WEB-INF/lib/

Habilitamos la configuración por CAS, comentando la configuración activa por default

$JIRA_HOME/WEB-INF/classes/seraph-config.xml

    &lt;!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration --&gt;
    &lt;authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/&gt;
    &lt;!-- CROWD:END --&gt;

    &lt;!-- CAS:START - Java Client Jira Authenticator --&gt;
        &lt;authenticator class="org.jasig.cas.client.integration.atlassian.JiraCasAuthenticator"/&gt;
    &lt;!-- CAS:END --&gt;

Redirigimos el Sign Out de JIRA al Sign Out de CAS

$JIRA_HOME/WEB-INF/classes/seraph-config.xml

        &lt;init-param&gt;
            &lt;!--
              The login URL to redirect to when the user tries to access a protected resource (rather than clicking on
              an explicit login link). Most of the time, this will be the same value as 'link.login.url'.
                - if the URL is absolute (contains '://'), then redirect that URL (for SSO applications)
                - else the context path will be prepended to this URL

                If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested.
                This gives SSO login pages the chance to redirect to the original page
            --&gt;
            &lt;param-name&gt;login.url&lt;/param-name&gt;
            &lt;!--&lt;param-value&gt;/login.jsp?permissionViolation=true&amp;amp;os_destination=${originalurl}&lt;/param-value&gt;--&gt;
            &lt;param-value&gt;https://mycassrv.domain.es/cas/login?service=${originalurl}&lt;/param-value&gt;
        &lt;/init-param&gt;
        &lt;init-param&gt;
            &lt;!--
              the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after
              trying to access a protected resource). Most of the time, this will be the same value as 'login.url'.
                - same properties as login.url above
            --&gt;
            &lt;param-name&gt;link.login.url&lt;/param-name&gt;
            &lt;!--&lt;param-value&gt;/login.jsp?os_destination=${originalurl}&lt;/param-value&gt;--&gt;
            &lt;!--&lt;param-value&gt;/secure/Dashboard.jspa?os_destination=${originalurl}&lt;/param-value&gt;--&gt;
            &lt;!--&lt;param-value&gt;http://sso.mycompany.com/login?redirectTo=${originalurl}&lt;/param-value&gt;--&gt;
            &lt;param-value&gt;https://mycassrv.domain.es/cas/login?service=${originalurl}&lt;/param-value&gt;
        &lt;/init-param&gt;
        &lt;init-param&gt;
            &lt;!-- URL for logging out.
                 - If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
                 - If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
                 --&gt;
            &lt;param-name&gt;logout.url&lt;/param-name&gt;
            &lt;!--&lt;param-value&gt;/secure/Logout!default.jspa&lt;/param-value&gt;--&gt;
            &lt;!--&lt;param-value&gt;http://sso.mycompany.com/logout&lt;/param-value&gt;--&gt;
            &lt;param-value&gt;https://mycassrv.domain.es/cas/logout&lt;/param-value&gt;
        &lt;/init-param&gt;

Add the Single Sign Out listener to the list of listener list too

$JIRA_HOME/WEB-INF/web.xml

    &lt;!-- CAS:START - Java Client Single Sign Out Listener --&gt;
    &lt;listener&gt;
        &lt;listener-class&gt;org.jasig.cas.client.session.SingleSignOutHttpSessionListener&lt;/listener-class&gt;
    &lt;/listener&gt;
    &lt;!-- CAS:END --&gt;

$JIRA_HOME/WEB-INF/web.xml

Add before the filter-mapping entries:

    &lt;!-- CAS:START - Java Client Filter Mappings --&gt;
    &lt;filter-mapping&gt;
        &lt;filter-name&gt;CasSingleSignOutFilter&lt;/filter-name&gt;
        &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
    &lt;/filter-mapping&gt;
    &lt;filter-mapping&gt;
       &lt;filter-name&gt;CasAuthenticationFilter&lt;/filter-name&gt;
       &lt;url-pattern&gt;/login.jsp&lt;/url-pattern&gt;
    &lt;/filter-mapping&gt;
    &lt;filter-mapping&gt;
       &lt;filter-name&gt;CasValidationFilter&lt;/filter-name&gt;
       &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
    &lt;/filter-mapping&gt;
    &lt;!-- CAS:END --&gt;

$JIRA_HOME/WEB-INF/web.xml

&lt;!-- CAS:START - Java Client Filters --&gt;
&lt;filter&gt;
   &lt;filter-name&gt;CasSingleSignOutFilter&lt;/filter-name&gt;
   &lt;filter-class&gt;org.jasig.cas.client.session.SingleSignOutFilter&lt;/filter-class&gt;
&lt;/filter&gt;
&lt;filter&gt;
  &lt;filter-name&gt;CasAuthenticationFilter&lt;/filter-name&gt;
  &lt;filter-class&gt;org.jasig.cas.client.authentication.AuthenticationFilter&lt;/filter-class&gt;
  &lt;init-param&gt;
    &lt;param-name&gt;casServerLoginUrl&lt;/param-name&gt;
    &lt;param-value&gt;https://mycassrv.domain.es/cas/login&lt;/param-value&gt;
  &lt;/init-param&gt;
  &lt;init-param&gt;
    &lt;param-name&gt;serverName&lt;/param-name&gt;
    &lt;param-value&gt;https://mycassrv.domain.es/jira/&lt;/param-value&gt;
  &lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter&gt;
    &lt;filter-name&gt;CasValidationFilter&lt;/filter-name&gt;
    &lt;filter-class&gt;org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter&lt;/filter-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;casServerUrlPrefix&lt;/param-name&gt;
        &lt;param-value&gt;https://mycassrv.domain.es/cas&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;serverName&lt;/param-name&gt;
        &lt;param-value&gt;https://mycassrv.domain.es/jira/&lt;/param-value&gt;
    &lt;/init-param&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;redirectAfterValidation&lt;/param-name&gt;
        &lt;param-value&gt;true&lt;/param-value&gt;
    &lt;/init-param&gt;
&lt;/filter&gt;
&lt;!--- CAS:END --&gt;
    &lt;!-- =====================================================
         FILTER MAPPINGS FOLLOW :
         ===================================================== --&gt;

Reread again the answers - at least the my answer above. IN short - CAS libraries are too old to support JIRA 6

Ok, thanks Jozef,

I tried to apply the path but failed with:

[root@jirasrv jira606]# git apply gistfile1.diff 
gistfile1.diff:55: trailing whitespace.
    &lt;authenticator class="org.jasig.cas.client.integration.atlassian.Jira44CasAuthenticator"/&gt; 
error: patch failed: atlassian-jira/WEB-INF/classes/jpm.xml:246
error: atlassian-jira/WEB-INF/classes/jpm.xml: patch does not apply
error: patch failed: atlassian-jira/WEB-INF/classes/seraph-config.xml:11
error: atlassian-jira/WEB-INF/classes/seraph-config.xml: patch does not apply
error: patch failed: atlassian-jira/WEB-INF/web.xml:351
error: atlassian-jira/WEB-INF/web.xml: patch does not apply

Thanks Jozef, the patch for the jar files works perfectly!!!

There are some incompatibilities with whitespaces - you should tweak it a bit (as HML-Proactum above did). Not sure what I did wrong when exporting the patch.

Actually I am using Mercurial Queue for patches in JIRA installation - the patch originates from this tool.

In case anyone stumbles into this thread at this point...

This seems to work for Jira 6.2.4, as of 2014-05-08.

Following the basic instructions in https://wiki.jasig.org/display/CASC/Configuring+Jira+with+JASIG+CAS+Client+for+Java+3.1but changing, as per this thread the following

- Jira44CasAuthenticator

- jira.admin.gadget.task.list.enabled : set sysadmin-editable to true

The bit about WebworkPluginSecurityService renaming doesn't seem to be necessary, that's already that way in my file as distributed from Atlassian.

This is all in Jozef's patch, although the line numbers are a bit off, possibly because of the version of Jira of course. His patch references line 247 for jpm.xml, but that doesn't appear to be the actual line. His patch also shows the property after the patch as jira.disable.multipart.get.http.request, therefore I am assuming the property that should be changed is jira.admin.gadget.task.list.enabled (which is right above the jira.disable.multipart... property in this version of jpm.xml).

I did not use cas-client-core-3.3-SNAPSHOT.jar, and thus did not apply the binary patch Jozef provided. Instead I grabbed the 3.3.1 of both client-core and client-integration-atlassian, from http://maven-repository.com/artifact/org.jasig.cas.client. In my case, I pulled the built jar file dated 2014-03-20, presumably anyone who finds this thread in the future can grab a newer build (or maybe the officially released stable version by then.) I don't know what that binary patch to the JAR file does, so if Jozef is still here, and can chime in, that'd be appreciated. I've no idea if his alterations might have made it into the JASIG git or not.

PH


Hi, thanks for update. I wasn't aware that 3.3 libraries are finally out.

The patch contains plain copies of CAS libraries (3.3-SNAPSHOT).

We are managing Atlassian applications in form of patches (Mercurial Queues). This method handles well changes in line numbers. I can upgrade automatically installation of JIRA with 30 patched files in 5 minutes.

how to do this : ira.admin.gadget.task.list.enabled : set sysadmin-editable to true

you have to edit atlassian-jira/WEB-INF/classes/jpm.xml

jira 6.3.3 Following the basic instructions in https://wiki.jasig.org/display/CASC/Configuring+Jira+with+JASIG+CAS+Client+for+Java+3.1 now , it can farword me to the sso login page,. input my username and password, redirect to the jira loginpage "http://XX.XXX.XXX.XXX:8080/secure/Dashboard.jspa"; . i check the jiralog ,there is't any error log i download cas-client-core-3.3.jar and client-integration-atlassian-3.3.3.jar from maven repo. use - Jira44CasAuthenticator and set jira.admin.gadget.task.list.enabled follow @Jozef Kotlár who can tell me why ? and how to debug it?

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published 5 hours ago in Off-topic

Get to know our Atlassian User Group Leaders from Bengaluru, India

Meet @Dinesh Dhinakaran, @Vishnu Vasudeva, @Rajeev Verma, and Jamshid Nalakath: Our extraordinary AUG leaders from Bengaluru, India. These four work together to strengthen the bonds of their local co...

56 views 0 2
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you