diff --git a/RemoteUserJiraAuth/RemoteUserJiraAuth.properties b/RemoteUserJiraAuth/RemoteUserJiraAuth.properties
new file mode 100644
index 0000000..c0b4026
--- /dev/null
+++ b/RemoteUserJiraAuth/RemoteUserJiraAuth.properties
@@ -0,0 +1,17 @@
+## This file can override some default behaviour if saved in
+## WEB-INF/classes/RemoteUserConfluenceAuth.properties
+
+## If you're passing the username in an HTTP header, set the name here in
+## lowercase. Leave blank to use the special REMOTE_USER header.
+#header=x-proxy-username
+#header=
+header=x-forward-name
+
+## Use trustedhosts to specify specific hosts which are allowed to authenticate
+## via HTTP headers. Leave blank to allow all hosts. It supports a comma
+## separated list of IP addresses. It does not support subnets or ranges.
+#trustedhosts=192.168.0.1,192.168.0.2
+#trustedhosts=192.168.0.1
+#trustedhosts=192.168.0.1,127.0.0.1
+#trustedhosts=
+trustedhosts=10.1.1.100,127.0.0.1
diff --git a/RemoteUserJiraAuth/pom.xml b/RemoteUserJiraAuth/pom.xml
index 26c0e22..21af933 100644
--- a/RemoteUserJiraAuth/pom.xml
+++ b/RemoteUserJiraAuth/pom.xml
@@ -7,7 +7,7 @@
4.0.0
anguswarren.jira
RemoteUserJiraAuth
- 1.1
+ 1.2
Angus Warren
@@ -15,7 +15,7 @@
anguswarren.jira.RemoteUserJiraAuth
- This is a custom Seraph filter developed by Angus Warren to authenticate based on the remote_user variable set by Apache
+ This is a custom Seraph filter which authenticates based on the remote_user variable set by Apache or an aribitrary HTTP header set by any web proxy.
atlassian-plugin
@@ -50,7 +50,7 @@
com.atlassian.maven.plugins
maven-jira-plugin
- 3.4
+ ${amps.version}
true
${jira.version}
@@ -69,6 +69,7 @@
4.3.2
+ 5.0.13
4.3
diff --git a/RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java b/RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java
index 08ea161..997a34f 100644
--- a/RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java
+++ b/RemoteUserJiraAuth/src/main/java/anguswarren/jira/RemoteUserJiraAuth.java
@@ -1,5 +1,5 @@
/**
- * Copyright 2011 Angus Warren
+ * Copyright 2016 Angus Warren
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,50 +17,70 @@
package anguswarren.jira;
import org.apache.log4j.Category;
+import java.io.InputStream;
+import java.util.Arrays;
+import java.util.Properties;
import java.security.Principal;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import com.atlassian.core.util.ClassLoaderUtils;
import com.atlassian.jira.security.login.JiraSeraphAuthenticator;
-public class RemoteUserJiraAuth extends JiraSeraphAuthenticator
-{
+public class RemoteUserJiraAuth extends JiraSeraphAuthenticator {
private static final Category log = Category.getInstance(RemoteUserJiraAuth.class);
- public Principal getUser(HttpServletRequest request, HttpServletResponse response)
- {
+ public Principal getUser(HttpServletRequest request, HttpServletResponse response) {
Principal user = null;
- try
- {
- if(request.getSession() != null && request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY) != null)
- {
+ try {
+ if (request.getSession() != null && request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY) != null) {
log.debug("Session found; user already logged in");
user = (Principal) request.getSession().getAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY);
- }
- else
- {
- log.debug("Trying RemoteUserJiraAuth SSO");
- String remoteuser = request.getRemoteUser();
- log.debug("remote_user set to: " + remoteuser);
- if(remoteuser != null)
- {
- String[] username = remoteuser.split("@");
- user = getUser(username[0]);
- log.debug("Logging in with username: " + user);
- request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY, user);
- request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_OUT_KEY, null);
- }
- else
- {
- log.warn("remote_user is null");
- return null;
+ } else {
+ Properties p = new Properties();
+ try {
+ InputStream iStream = ClassLoaderUtils.getResourceAsStream("RemoteUserJiraAuth.properties", this.getClass());
+ p.load(iStream);
+ } catch (Exception e) {
+ log.debug("Exception loading propertie. The properties file is optional anyway, so this may not be an issues: " + e, e);
+ }
+
+ String trustedhosts = p.getProperty("trustedhosts");
+ if (trustedhosts != null) {
+ String ipAddress = request.getRemoteAddr();
+ if (Arrays.asList(trustedhosts.split(",")).contains(ipAddress)) {
+ log.debug("IP found in trustedhosts.");
+ } else {
+ log.debug("IP not found in trustedhosts: " + ipAddress);
+ return null;
}
+ } else {
+ log.debug("trustedhosts not configured. If you're using http headers, this may be a security issue.");
+ }
+
+ String remoteuser = null;
+ String header = p.getProperty("header");
+ if (header == null) {
+ log.debug("Trying REMOTE_USER for SSO");
+ remoteuser = request.getRemoteUser();
+ } else {
+ log.debug("Trying HTTP header '" + header + "' for SSO");
+ remoteuser = request.getHeader(header);
+ }
+
+ if (remoteuser != null) {
+ String[] username = remoteuser.split("@");
+ user = getUser(username[0]);
+ log.debug("Logging in with username: " + user);
+ request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_IN_KEY, user);
+ request.getSession().setAttribute(JiraSeraphAuthenticator.LOGGED_OUT_KEY, null);
+ } else {
+ log.debug("remote_user is null");
+ return null;
+ }
}
- }
- catch (Exception e)
- {
- log.warn("Exception: " + e, e);
+ } catch (Exception e) {
+ log.error("Exception: " + e, e);
}
return user;
}
-
}
diff --git a/builds/RemoteUserJiraAuth-1.2.jar b/builds/RemoteUserJiraAuth-1.2.jar
new file mode 100644
index 0000000..472acaf
Binary files /dev/null and b/builds/RemoteUserJiraAuth-1.2.jar differ
diff --git a/builds/RemoteUserJiraAuth-1.2.tar.gz b/builds/RemoteUserJiraAuth-1.2.tar.gz
new file mode 100644
index 0000000..27d12c4
Binary files /dev/null and b/builds/RemoteUserJiraAuth-1.2.tar.gz differ