Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to make a custom SSO Authenticator work with Application Links?

mlassau_atlassian
mlassau_atlassian
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 14, 2013

We had a customer reoprt that after creating a custom SSO Authenticator for JIRA and Confluence, they were not able to use app links between the two applications.
When they went back to using the standard Seraph Authenticator, the application links worked again.

Watch
Like # people like this
944 views

2 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

3 votes
Answer accepted
mlassau_atlassian
mlassau_atlassian
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 14, 2013

The Seraph Authenticator works as a Servlet Filter that protects every HTTP request coming in to the server as required.

Application Links uses there own forms of security - notably OAuth and "Trusted Applications". These are also Servlet Filters and the way they work is that they occur earlier in the Filter chain than the Seraph Filter.
If the request is an authenticated Application Link request, then the app link filter will set a request attribute that indicates "LOGIN_SUCCESS".
It is then up to the Seraph Authenticator to explicitly check this flag in order to allow authenticated Application Link requests to continue.

For a developer writing a custom Seraph Authenticator (eg for SSO) this means that the implementation of 

getUser(HttpServletRequest request, HttpServletResponse response)

needs to check if the request is already authenticated by the App Links filter.
The check should look something like:

private boolean isAlreadyAuthenticated(HttpServletRequest request)
{
    if (BaseLoginFilter.LOGIN_SUCCESS.equals(request.getAttribute(BaseLoginFilter.OS_AUTHSTATUS_KEY)))
    {
        if (logger.isDebugEnabled())
        {
            logger.debug("User is authenticated via previous filter");
        }
        return true;
    }
 
    return false;
}

View More Comments
JustinK
JustinK
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 14, 2013

More specifically, the first few lines of the getUser method should look something like the following:

public Principal getUser(HttpServletRequest request, HttpServletResponse response)
{
    if (isAlreadyAuthenticated(request))
    {
       return getUserFromSession(request);
    }
    
    ....
}

This should be all you need.

Like
Travis Masselink
Travis Masselink July 10, 2014

We tried these code changes but debugging it we are not seeing OS_AUTHSTATUS_KEY in the request attributes. So we never make it to the getUserFromSession method. What are we missing?

Like
Reply
0 votes
Brian Lieberman
Brian Lieberman April 24, 2014

Just found this answer- we are using a custom seraph authentcator for SSO and tried implementing this fix but we are still having difficulty getting AppLinks to work. Any other ideas what may be the cause?

Reply
Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events