Restrict login based on IP-address

Christian Holmboe December 2, 2012

Do you know if there is a plugin that will allow me to allow/reject login based on users ip? We have a fairly locked down installation and would like to allow some user-groups (customers) to only login from a specific ip-range (customer networks).

Cheers!

/Christian

2 answers

1 vote
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 2, 2012

the easiest way without generating firewall rules is by setting up some allowed IPs inside your vhost config.

but this will block all communication before your unwanted clients reach the application itself so jira is not going to deny/allow any ip-range but apache will do so...

which is indeed an ugly solution cause you need to modify manually each time you get new customers..

also if your customers know how to send requests using a different outgoing ip these settings will be bypassed in less than a second.

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 2, 2012

No, there's nothing in the application.

That's the right approach actually, because you really want to reject users well before they reach the application - you would be far better off doing this in your firewalls

(There is a valid grumble here that you're wasting your time because it's a doddle to bypass IP based security, but that's for you to take up with your security people. Ideally getting better ones if tey seriously think this is a useful way to do security)

Christian Holmboe December 2, 2012

Tank you for your reply! Maybe I should elaborate a bit. Our customers access jira from dedicated vpn-tunnels, there is no public access to our jira. The scenarios we're trying to avoid is:

  • A user at Customer A switching employer to Customer B still accessing A's issues through his old account. (Yes, his A-account should be terminated asap, but there might be a long time before we know that the user has changed firms)
  • A company account is sniffed and used from a Customer vpn (all our on-site personel use two factor authentification to logon to our company vpn from wich they can access jira)

We have a way of doing this, but it is a bit of a plugin-hack that a former security officer wipped up. It's now in the way of a jira upgrade so I'm investigating alternative ways of achieving this rather than maintaining the hack.

We run jira behind apache, would it be possible to somehow have apache block access based on the content of the login form post query?

Christian Holmboe December 2, 2012

Tank you for your reply! Maybe I should elaborate a bit. Our customers access jira from dedicated vpn-tunnels, there is no public access to our jira. The scenarios we're trying to avoid is:

  • A user at Customer A switching employer to Customer B still accessing A's issues through his old account. (Yes, his A-account should be terminated asap, but there might be a long time before we know that the user has changed firms)
  • A company account is sniffed and used from a Customer vpn (all our on-site personel use two factor authentification to logon to our company vpn from wich they can access jira)

We have a way of doing this, but it is a bit of a plugin-hack that a former security officer wipped up. It's now in the way of a jira upgrade so I'm investigating alternative ways of achieving this rather than maintaining the hack.

We run jira behind apache, would it be possible to somehow have apache block access based on the content of the login form post query?

C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 2, 2012

you mean something like "http(s)://yourJirahost/secure/Dashboard.jspa" ?

this can be restricted as well

note that there are 2 ways that can be used for login

second is http(s)://yourJirahost/login.jsp

you do this by adding restrictions for Locations (e.g. like)

<Location /crowd/>
        Order deny,allow
        Allow from someIP
        Deny from All
</Location>

JM R_ December 2, 2012

I'd first see if the plugin hack cannot be easily used on a newer version of jira.

Afterwards, a wrapper comes to mind that you login against. If you pass the conditions in the wrapper you could redirect them to the actual Jira. One would have to find out however how exactly Jira authenticates users. On the dashboard I see a submit to the current page (Dashboard.jsp) while there also is login.jsp etc.

You seem smart enough to find another hack ;-)

Suggest an answer

Log in or Sign up to answer