We had a customer reoprt that after creating a custom SSO Authenticator for JIRA and Confluence, they were not able to use app links between the two applications.
When they went back to using the standard Seraph Authenticator, the application links worked again.
Community moderators have prevented the ability to post new answers.
The Seraph Authenticator works as a Servlet Filter that protects every HTTP request coming in to the server as required.
Application Links uses there own forms of security - notably OAuth and "Trusted Applications". These are also Servlet Filters and the way they work is that they occur earlier in the Filter chain than the Seraph Filter.
If the request is an authenticated Application Link request, then the app link filter will set a request attribute that indicates "LOGIN_SUCCESS"
.
It is then up to the Seraph Authenticator to explicitly check this flag in order to allow authenticated Application Link requests to continue.
For a developer writing a custom Seraph Authenticator (eg for SSO) this means that the implementation of
getUser(HttpServletRequest request, HttpServletResponse response)
needs to check if the request is already authenticated by the App Links filter.
The check should look something like:
private boolean isAlreadyAuthenticated(HttpServletRequest request) { if (BaseLoginFilter.LOGIN_SUCCESS.equals(request.getAttribute(BaseLoginFilter.OS_AUTHSTATUS_KEY))) { if (logger.isDebugEnabled()) { logger.debug("User is authenticated via previous filter"); } return true; } return false; }
More specifically, the first few lines of the getUser method should look something like the following:
public Principal getUser(HttpServletRequest request, HttpServletResponse response) { if (isAlreadyAuthenticated(request)) { return getUserFromSession(request); } .... }
This should be all you need.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We tried these code changes but debugging it we are not seeing OS_AUTHSTATUS_KEY in the request attributes. So we never make it to the getUserFromSession method. What are we missing?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just found this answer- we are using a custom seraph authentcator for SSO and tried implementing this fix but we are still having difficulty getting AppLinks to work. Any other ideas what may be the cause?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.