Updated RemoteUserJiraAuth to 1.2

RemoteUserJiraAuth/RemoteUserJiraAuth.properties

@@ -0,0 +1,17 @@
+## This file can override some default behaviour if saved in 
+##  WEB-INF/classes/RemoteUserConfluenceAuth.properties
+
+## If you're passing the username in an HTTP header, set the name here in 
+## lowercase. Leave blank to use the special REMOTE_USER header. 
+#header=x-proxy-username
+#header=
+header=x-forward-name
+
+## Use trustedhosts to specify specific hosts which are allowed to authenticate
+##  via HTTP headers. Leave blank to allow all hosts. It supports a comma
+##  separated list of IP addresses. It does not support subnets or ranges.
+#trustedhosts=192.168.0.1,192.168.0.2
+#trustedhosts=192.168.0.1
+#trustedhosts=192.168.0.1,127.0.0.1
+#trustedhosts=
+trustedhosts=10.1.1.100,127.0.0.1

RemoteUserJiraAuth/pom.xml

@@ -7,15 +7,15 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>anguswarren.jira</groupId>
     <artifactId>RemoteUserJiraAuth</artifactId>
-    <version>1.1</version>
+    <version>1.2</version>
 
     <organization>
         <name>Angus Warren</name>
         <url>https://wiki.warren.bz</url>
     </organization>
 
     <name>anguswarren.jira.RemoteUserJiraAuth</name>
-    <description>This is a custom Seraph filter developed by Angus Warren to authenticate based on the remote_user variable set by Apache</description>
+    <description>This is a custom Seraph filter which authenticates based on the remote_user variable set by Apache or an aribitrary HTTP header set by any web proxy.</description>
     <packaging>atlassian-plugin</packaging>
 
     <dependencies>
@@ -50,7 +50,7 @@
             <plugin>
                 <groupId>com.atlassian.maven.plugins</groupId>
                 <artifactId>maven-jira-plugin</artifactId>
-                <version>3.4</version>
+                <version>${amps.version}</version>
                 <extensions>true</extensions>
                 <configuration>
                     <productVersion>${jira.version}</productVersion>
@@ -69,6 +69,7 @@
 
     <properties>
         <jira.version>4.3.2</jira.version>
+        <amps.version>5.0.13</amps.version>
         <jira.data.version>4.3</jira.data.version>
     </properties>
 

RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java

@@ -1,5 +1,5 @@
 /**
- * Copyright 2011 Angus Warren
+ * Copyright 2016 Angus Warren
  * 
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,50 +17,70 @@
 package anguswarren.jira;
 
 import org.apache.log4j.Category;
+import java.io.InputStream;
+import java.util.Arrays;
+import java.util.Properties;
 import java.security.Principal;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import com.atlassian.core.util.ClassLoaderUtils;
 import com.atlassian.jira.security.login.JiraSeraphAuthenticator;
 
-public class RemoteUserJiraAuth extends JiraSeraphAuthenticator
-{
+public class RemoteUserJiraAuth extends JiraSeraphAuthenticator {
     private static final Category log = Category.getInstance(RemoteUserJiraAuth.class);
 
-    public Principal getUser(HttpServletRequest request, HttpServletResponse response)
-    {
+    public Principal getUser(HttpServletRequest request, HttpServletResponse response) {
         Principal user = null;
-        try
-        {
-            if(request.getSession() != null && request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY) != null)
-            {
+        try {
+            if (request.getSession() != null && request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY) != null) {
                 log.debug("Session found; user already logged in");
                 user = (Principal) request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY);
-            }
-            else
-            {
-                    log.debug("Trying RemoteUserJiraAuth SSO");
-                    String remoteuser = request.getRemoteUser();
-                    log.debug("remote_user set to: " + remoteuser);
-                    if(remoteuser != null)
-                    {
-			String[] username = remoteuser.split("@");
-                        user = getUser(username[0]);
-                        log.debug("Logging in with username: " + user);
-                        request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY, user);
-                        request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_OUT_KEY, null);
-                    }
-                    else 
-                    {
-                        log.warn("remote_user is null");
-                        return null;
+            } else {
+                Properties p = new Properties();
+                try {
+                    InputStream iStream = ClassLoaderUtils.getResourceAsStream("RemoteUserJiraAuth.properties", this.getClass());
+                    p.load(iStream);
+                } catch (Exception e) {
+                    log.debug("Exception loading propertie. The properties file is optional anyway, so this may not be an issues: " + e, e);
+                }
+
+                String trustedhosts = p.getProperty("trustedhosts");
+                if (trustedhosts != null) {
+                    String ipAddress = request.getRemoteAddr();
+                    if (Arrays.asList(trustedhosts.split(",")).contains(ipAddress)) {
+                        log.debug("IP found in trustedhosts.");
+                    } else {
+                        log.debug("IP not found in trustedhosts: " + ipAddress);
+                        return null; 
                     }
+                } else {
+                    log.debug("trustedhosts not configured. If you're using http headers, this may be a security issue.");
+                }
+
+                String remoteuser = null;
+                String header = p.getProperty("header");
+                if (header == null) {
+                    log.debug("Trying REMOTE_USER for SSO");
+                    remoteuser = request.getRemoteUser();
+                } else {
+                    log.debug("Trying HTTP header '" + header + "' for SSO");
+                    remoteuser = request.getHeader(header);
+                }
+
+                if (remoteuser != null) {
+                    String[] username = remoteuser.split("@");
+                    user = getUser(username[0]);
+                    log.debug("Logging in with username: " + user);
+                    request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY, user);
+                    request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_OUT_KEY, null);
+                } else {
+                    log.debug("remote_user is null");
+                    return null;
+                }
             }
-        }
-        catch (Exception e)
-        {
-            log.warn("Exception: " + e, e);
+        } catch (Exception e) {
+            log.error("Exception: " + e, e);
         }
         return user;
     }
-
 }