We have Jira 5.x running in the standalone variant (embedded tomcat). We'd like to prevent any request without a valid http basic header from reaching the Jira application. Or, in other words, force JIRA to use HTTP Basic authentication. Yes, I know that transmitting http basic credentials over the wire without tls isn't secure and stuff, but we don't have an SSL certificate anyway, so that doesn't matter (it doesn't make it worse than it actually is).
I read that Jira handles HTTP Basic Authentication headers if it gets them, and appending
?os_authType=basic to the URL makes Jira behave as we wish, but we'd like Jira to enforce HTTP Basic. We wouldn't care if we had some kind of "even-before-jira" login statically configured in tomcat as long as the jira application wouldn't be reachable from outside without it.
Is there a way to achieve this?
I tried adding:
to jira's web.xml but that didn't help.
Regarding the default JIRA settings, I believe that this option is available only using a custom seraph.config settings. Therefore, I believe that the following links could be useful:
1. HTTP authentication with seraph > https://confluence.atlassian.com/display/CONF25/HTTP+authentication+with+Seraph
2. Top ten tomcat configuration tips > http://oreilly.com/pub/a/java/archive/tomcat-tips.html?page=1