Do you know if there is a plugin that will allow me to allow/reject login based on users ip? We have a fairly locked down installation and would like to allow some user-groups (customers) to only login from a specific ip-range (customer networks).
Cheers!
/Christian
the easiest way without generating firewall rules is by setting up some allowed IPs inside your vhost config.
but this will block all communication before your unwanted clients reach the application itself so jira is not going to deny/allow any ip-range but apache will do so...
which is indeed an ugly solution cause you need to modify manually each time you get new customers..
also if your customers know how to send requests using a different outgoing ip these settings will be bypassed in less than a second.
No, there's nothing in the application.
That's the right approach actually, because you really want to reject users well before they reach the application - you would be far better off doing this in your firewalls
(There is a valid grumble here that you're wasting your time because it's a doddle to bypass IP based security, but that's for you to take up with your security people. Ideally getting better ones if tey seriously think this is a useful way to do security)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tank you for your reply! Maybe I should elaborate a bit. Our customers access jira from dedicated vpn-tunnels, there is no public access to our jira. The scenarios we're trying to avoid is:
We have a way of doing this, but it is a bit of a plugin-hack that a former security officer wipped up. It's now in the way of a jira upgrade so I'm investigating alternative ways of achieving this rather than maintaining the hack.
We run jira behind apache, would it be possible to somehow have apache block access based on the content of the login form post query?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tank you for your reply! Maybe I should elaborate a bit. Our customers access jira from dedicated vpn-tunnels, there is no public access to our jira. The scenarios we're trying to avoid is:
We have a way of doing this, but it is a bit of a plugin-hack that a former security officer wipped up. It's now in the way of a jira upgrade so I'm investigating alternative ways of achieving this rather than maintaining the hack. We run jira behind apache, would it be possible to somehow have apache block access based on the content of the login form post query? |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
you mean something like "http(s)://yourJirahost/secure/Dashboard.jspa" ?
this can be restricted as well
note that there are 2 ways that can be used for login
second is http(s)://yourJirahost/login.jsp
you do this by adding restrictions for Locations (e.g. like)
<Location /crowd/> Order deny,allow Allow from someIP Deny from All </Location>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'd first see if the plugin hack cannot be easily used on a newer version of jira.
Afterwards, a wrapper comes to mind that you login against. If you pass the conditions in the wrapper you could redirect them to the actual Jira. One would have to find out however how exactly Jira authenticates users. On the dashboard I see a submit to the current page (Dashboard.jsp) while there also is login.jsp etc.
You seem smart enough to find another hack ;-)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.