Initial commit of RemoteUserJiraAuth 1.1

.gitignore

@@ -0,0 +1,4 @@
+*~
+*.swp
+*.swo
+target/

README.md

@@ -0,0 +1,65 @@
+JIRA 4.3+ with mod_auth_kerb SSO
+================================
+Goal
+----
+Users should transparently log in to JIRA with AD domain credentials.
+
+Overview
+--------
+Apache authenticates users using mod_auth_kerb and passes the authenticated username to JIRA through an AJP proxy. JIRA uses a custom Seraph filter which checks for the remote_user variable set by Apache and logs the user in automatically.
+
+Installation
+------------
+1. Install Jira using the standard install, listening on port 8080
+   * Allow port 8080 through the firewall
+2. Setup LDAP user directory
+   * Test logging in using your AD credentials
+3. Setup apache to act as a proxy to Jira using AJP
+   * Add this line to the server.xml (/opt/atlassian/jira/conf/server.xml) file, around line 64. It should end up below the existing "Connector" entry. 
+     ```xml
+     <Connector port="8009" redirectPort="8443" enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8" tomcatAuthentication="false"/>
+     ```
+   * Check the "jira_proxy.conf" file in examples for the apache configuration.
+4. Install mod_auth_kerb and configure it to authenticate against your AD
+   * There is plenty of documentation out there on how to do this, I have also included my configuration files in the examples directory. (krb5.conf and smb.conf)
+   * Set up a location like /private and test against that. Once Kerberos is authenticating properly there, apply it to the JIRA proxy created in the previous step.
+5. Add the jar file (RemoteUserJiraAuth-X.Y.jar) to the WEB-INF/lib/ directory (by default it's /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/)
+   * Ensure that you've removed any older versions which may exist.
+6. Edit WEB-INF/classes/seraph-config.xml and replace the existing authenticator with the custom one: 
+   ```xml
+   Comment this out:
+   <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>
+   Add this below it:
+   <authenticator class="anguswarren.jira.RemoteUserJiraAuth"/>
+   ```
+7. Restart JIRA and Apache
+8. Check to see if it is now working.
+
+Notes
+-----
+### Kerberos
+Kerberos can be frustrating to configure correctly. Check that DNS is configured correctly, and you have a valid PTR record for the servers IP address. Check that the SPN is valid against the hostname that you are connecting to and that you do not have a duplicate SPN configured in AD. The following code will check for duplicate SPN's
+```bash
+ldapsearch -h dc01.domain.local -x -W -D "[email protected]" \
+-b "DC=DOMAIN,DC=LOCAL" 'serviceprincipalname=*' serviceprincipalname | \
+grep 'Name:' | sort | uniq -d
+```
+
+To Generate your keytab, the easiest way is to run this command from the linux host after joining the domain.
+```
+net ads keytab add HTTP -U administrator
+```
+
+If you are using a virtual server and the name you connect with is not the same as the domain computers name, you will need to generate a keytab for the second hostname. At our site, the computer name is Support01 but we are connecting using jira.domain.local. Authentication will fail if the keytab does not match the hostname/fqdn you connect to. To generate a keytab for another hostname:
+1. Create a new user account for the SPN/keytab to be bound with, set the password never to expire.
+2. From the windows command line run the following command (replace my values to match your environment)
+   * `ktpass -princ HTTP/[email protected] -out C:\jira.domain.local.keytab -mapuser [email protected] --pass userspassword`
+3. Move the keytab to the correct location on the apache host. (specified in the apache config file for your virtual host)
+
+### Firefox
+Open about:config and change add the JIRA fqdn to 'network.negotiate-auth.trusted-uris'
+
+### Internet Explorer & Chrome
+First, add the JIRA fqdn to either the Trusted sites or the Intranet zone. Once you have done that, either
+  * set the security settings for that zone to allow "automatic logon with the current username and password."
+  * OR, set the security level for the zone to "Low"

RemoteUserJiraAuth/LICENSE

@@ -0,0 +1,13 @@
+Copyright 2011 Angus Warren
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

RemoteUserJiraAuth/pom.xml

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>anguswarren.jira</groupId>
+    <artifactId>RemoteUserJiraAuth</artifactId>
+    <version>1.1</version>
+
+    <organization>
+        <name>Angus Warren</name>
+        <url>https://wiki.warren.bz</url>
+    </organization>
+
+    <name>anguswarren.jira.RemoteUserJiraAuth</name>
+    <description>This is a custom Seraph filter developed by Angus Warren to authenticate based on the remote_user variable set by Apache</description>
+    <packaging>atlassian-plugin</packaging>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.atlassian.jira</groupId>
+            <artifactId>atlassian-jira</artifactId>
+            <version>${jira.version}</version>
+            <scope>provided</scope>
+        </dependency>        
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.6</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.atlassian.jira</groupId>
+            <artifactId>jira-func-tests</artifactId>
+            <version>${jira.version}</version>
+            <scope>test</scope>
+        </dependency>
+	<dependency>
+		<groupId>javax.servlet</groupId>
+		<artifactId>servlet-api</artifactId>
+		<version>2.4</version>
+		<scope>provided</scope>
+	</dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>com.atlassian.maven.plugins</groupId>
+                <artifactId>maven-jira-plugin</artifactId>
+                <version>3.4</version>
+                <extensions>true</extensions>
+                <configuration>
+                    <productVersion>${jira.version}</productVersion>
+                    <productDataVersion>${jira.data.version}</productDataVersion>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <properties>
+        <jira.version>4.3.2</jira.version>
+        <jira.data.version>4.3</jira.data.version>
+    </properties>
+
+</project>

RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java

@@ -0,0 +1,66 @@
+/**
+ * Copyright 2011 Angus Warren
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package anguswarren.jira;
+
+import org.apache.log4j.Category;
+import java.security.Principal;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import com.atlassian.jira.security.login.JiraSeraphAuthenticator;
+
+public class RemoteUserJiraAuth extends JiraSeraphAuthenticator
+{
+    private static final Category log = Category.getInstance(RemoteUserJiraAuth.class);
+
+    public Principal getUser(HttpServletRequest request, HttpServletResponse response)
+    {
+        Principal user = null;
+        try
+        {
+            if(request.getSession() != null && request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY) != null)
+            {
+                log.debug("Session found; user already logged in");
+                user = (Principal) request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY);
+            }
+            else
+            {
+                    log.debug("Trying RemoteUserJiraAuth SSO");
+                    String remoteuser = request.getRemoteUser();
+                    log.debug("remote_user set to: " + remoteuser);
+                    if(remoteuser != null)
+                    {
+			String[] username = remoteuser.split("@");
+                        user = getUser(username[0]);
+                        log.debug("Logging in with username: " + user);
+                        request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY, user);
+                        request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_OUT_KEY, null);
+                    }
+                    else 
+                    {
+                        log.warn("remote_user is null");
+                        return null;
+                    }
+            }
+        }
+        catch (Exception e)
+        {
+            log.warn("Exception: " + e, e);
+        }
+        return user;
+    }
+
+}

RemoteUserJiraAuth/src/main/resources/atlassian-plugin.xml

@@ -0,0 +1,7 @@
+<atlassian-plugin key="${project.groupId}.${project.artifactId}" name="${project.name}" plugins-version="1">
+    <plugin-info>
+        <description>${project.description}</description>
+        <version>${project.version}</version>
+        <vendor name="${project.organization.name}" url="${project.organization.url}" />
+    </plugin-info>
+</atlassian-plugin>

examples/jira_proxy.conf

@@ -0,0 +1,71 @@
+<VirtualHost *:80>
+    ServerName  jira.domain.local
+    ServerAlias jira
+    ServerAlias it
+
+    RewriteEngine on
+    RewriteCond %{SERVER_PORT} =80
+    RewriteRule ^/(.*)         https://jira.domain.local/$1 [L,R]
+</VirtualHost>
+
+
+<VirtualHost *:443>
+    ServerName  jira.domain.local
+    ServerAlias jira
+
+    DocumentRoot /opt/atlassian/jira/atlassian-jira
+
+    SSLEngine on
+    SSLCertificateFile          /etc/httpd/secure/jira.domain.local.crt
+    SSLCertificateKeyFile       /etc/httpd/secure/jira.domain.local.key
+    SSLCertificateChainFile     /etc/httpd/secure/startcom.sub.class1.server.ca.pem
+    SSLCACertificateFile        /etc/httpd/secure/startcom.ca.pem
+    SSLOptions StrictRequire
+    SSLProtocol all -SSLv2
+
+    KeepAlive On
+
+    ProxyRequests Off
+    ProxyPreserveHost On
+
+    <Proxy *>
+        Order deny,allow
+        Allow from all
+    </Proxy>
+
+    ProxyPass /images/ !
+    ProxyPass /portlets/ !
+    ProxyPass /styles/ !
+    ProxyPass /                 ajp://127.0.0.1:8009/
+    ProxyPassReverse /          ajp://127.0.0.1:8009/
+
+    RewriteEngine on
+    RewriteCond %{HTTP_HOST}    !^jira\.domain\.com [NC]
+    RewriteCond %{HTTP_HOST}    !^$
+    RewriteRule ^/(.*)          http://jira.domain.local/$1 [L,R]
+
+    <Location />
+        AuthType                Kerberos
+        AuthName                "JIRA Kerberos Login"
+        KrbMethodNegotiate      On
+        KrbMethodK5Passwd       On
+        KrbAuthRealms           DOMAIN.LOCAL
+        Krb5KeyTab              /etc/httpd/secure/jira.domain.local.kerberos.keytab
+        require                 valid-user
+
+        SetOutputFilter DEFLATE
+        SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
+        Header append Vary User-Agent env=!dont-vary
+    </Location>
+
+    <LocationMatch "^/(images/|s/.*_/images/|secure/useravatar).*$">
+        AuthType None
+        Satisfy Any
+    </LocationMatch>
+
+    ServerSignature    Off
+    LogLevel           warn
+    HostnameLookups    Off
+    ErrorLog           /var/log/httpd/jira_error.log
+    CustomLog          /var/log/httpd/jira_access.log common
+</VirtualHost>

examples/krb5.conf

@@ -0,0 +1,24 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = DOMAIN.LOCAL
+ default_keytab_name = FILE:/etc/krb5.keytab
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+
+[realms]
+ DOMAIN.LOCAL = {
+  kdc = dc01.domain.local:88
+  admin_server = dc01.domain.local:749
+  default_domain = domain.local
+ }
+
+[domain_realm]
+ .domain.local = DOMAIN.LOCAL
+ domain.local = DOMAIN.LOCAL
+ .DOMAIN.LOCAL = DOMAIN.LOCAL

examples/smb.conf

@@ -0,0 +1,13 @@
+[global]
+    workgroup = SATTERLEY
+    security = user
+    netbios name = support01
+    realm = DOMAIN.LOCAL
+    password server = dc01.domain.local
+    use kerberos keytab = yes
+    security = ADS
+    encrypt passwords = yes
+    passdb backend = tdbsam
+    server string = Samba Server Version %v
+    log file = /var/log/samba/log.%m
+    max log size = 50