Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Login redirect from plugin

childnode
childnode November 24, 2015

thinking about implementing my own SSO authentication plugin, found the paid plugin for SAML SSO support which is (due to missing support for encrypted requests / callbacks) not applicable to me.

While from the common seraph documentation, any SSO authentication module has to be configured on server side, see https://docs.atlassian.com/atlassian-seraph/latest/sso.html or https://confluence.atlassian.com/x/iIP6D

The interesting part:

In the documentation of the paid plugin it reads like it is able to define a login-redirect URL by some magic in the plugin code only, without any need for any server / installation manipulation on install

https://resolution.atlassian.net/wiki/x/BIDh

If "redirect login requests" is activated in the plugin configuration page, Confluence/JIRA redirects the user to the servlet at https://<baseurl>/plugins/servlet/samlsso.

Otherwise, the servlet URL has to be called explicitly to perform SSO.

 

tl;dr: can I and if yes how to define a login redirect to a custom login / SSO URL from within plugin code when user access any restricted content?

(yes, I'm aware of the question https://answers.atlassian.com/questions/30949900 but this only clarifies how to force the redirect if user access plugin assets without authorization, it doesn't answer how to define the redirect URL "dynamically")

Watch
Like Be the first to like this
2633 views

3 answers

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

0 votes
Subhajit Bhuiya
Subhajit Bhuiya June 7, 2018

@Titus 

I am getting compilation error while using your suggestion. 

importing SecSignIDConstants is not working

is not working. What do I need to add in pom.xml

View More Comments
Titus
Titus
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 12, 2018

@Subhajit BhuiyaSorry but of course you are getting compile errors because this is just an example out of our class, so there are dependencies which cannot be resolved.

The example shall just show how to realise a redirect and the redirect ist:

 

if(...){

httpServletResp.sendRedirect("http:/some-url");

}

 

To be check the condition the example is implemented in a servlet filter which must be declared in the atlassian-plugin.xml.

What we did in our SecSign ID Plugin we added the filter to filter every url, I mean every single request as you can see in the snipppet for the atlassian-plugin.xml.

 

Than in your java class you can override the doFilter method:

 

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
...
}

Depending what you have defined in your atlassian-plugin.xml this will be called every single request.

 

Than we check whether the request is a login page and if a user is logged:

 

 //

            // check whether a user is logged in or not

            //

            Object appUserObject = session.getAttribute(DefaultAuthenticator.LOGGED_IN_KEY);

            UserProfile userProfile = null;

            if(appUserObject == null){

                userProfile = userManager.getRemoteUser(httpServletReq);

            }

            if(appUserObject != null || userProfile != null){

 

There are another posibillities like filtering the response first and then parse the response if there is a login form. But I am not sure if you can send a redirect when calling

filterChain.doFilter(request, response);

first. So we decided to filter/check the url in our 2FA addons.

Like
Reply
0 votes
Titus
Titus
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 2, 2016

You can create a servlet filter in your atlassian-plugin.xml which then checks whether a user needs to login.

In this case you can just redirect the requested url to any url you like. Doing so you can implement a servlet which serves the url you redirect to.

For example the implemented redirect:

This is a snippet from my atlassian-plugin.xml

 

&lt;servlet-filter name="SecSignIDAuthenticationFilter"

                key="com.secsign.jira.servlet.filter.SecSignIDAuthenticationFilter"

               class="com.secsign.jira.servlet.filter.SecSignIDAuthenticationFilter"

                location="before-login"

                weight="200"&gt;

        &lt;description&gt;SecSign ID Filter&lt;/description&gt;

        &lt;url-pattern&gt;/*&lt;/url-pattern&gt;

        &lt;dispatcher&gt;REQUEST&lt;/dispatcher&gt;

&lt;/servlet-filter&gt;

and the implementation of the sevlet filter:

 

@Override

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {

        

        HttpServletRequest httpServletReq = (HttpServletRequest) request;

        String requestUri = httpServletReq.getRequestURI();

   if(requestUri.contains(SecSignIDConstants.JIRA_DASHBOARD_JSP_PATH){

HttpServletResponse httpServletResp = (HttpServletResponse) response;

            HttpSession session = httpServletReq.getSession();

            

            //

            // check whether a user is logged in or not

            //

            Object appUserObject = session.getAttribute(DefaultAuthenticator.LOGGED_IN_KEY);

            UserProfile userProfile = null;

            if(appUserObject == null){

                userProfile = userManager.getRemoteUser(httpServletReq);

            }

            if(appUserObject != null || userProfile != null){

                // a user is already logged in. nothing else to do?

                if(requestUri.contains(SecSignIDConstants.JIRA_LOGIN_JSP_PATH)){
                httpServletResp.sendRedirect(SecSignIDAuthenticationFilter.getJiraBaseUrl(httpServletReq));

                } else {

                   
                    // a user is logged in and the login path was not called explicitly. just finish the filter chain

                    filterChain.doFilter(httpServletReq, httpServletResp);

                }

                return;

            }

//

            // Check whether a login process is currently processed

            //

            if(httpServletReq.getParameter(SecSignIDConstants.JIRA_LOGIN_FORM_SUBMIT_PARAM_NAME) != null &amp;&amp;

               httpServletReq.getParameter(SecSignIDConstants.JIRA_LOGIN_USER_PARAM_NAME) != null &amp;&amp;

               httpServletReq.getParameter(SecSignIDConstants.JIRA_LOGIN_PWD_PARAM_NAME) != null){


                // user currently logs in using the default username/password form

                filterChain.doFilter(request, response);

                return;

            }


// sent redirect to our servlet

httpServletResp.sendRedirect(jiraBaseUrl + SecSignIDConstants.SECSIGNID_SERVLET_PATH);


            // redirect was sent. nothing else to do. there is no need to go up the filter chain.

            return;   

        }

        

        // no need for a redirect, just go through the normal filters of the servlet

        filterChain.doFilter(request, response);

    }

 

 

View More Comments
gfinesch
gfinesch May 12, 2017

Hello everyone,

I am facing the exact same problem with integrating Jira with OAuth 2.0. Do you mind posting the rest of your class, please? It would be very helpful here, thank you!

Like
Reply
0 votes
Panos
Panos
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 25, 2015

I don't know specifically about SSO (if you do find out please share!). How about use a servlet-filter to protect your assets and redirect to some xxx url if requirements are not met?

Reply

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events