Icon
Join thousands of Atlassian users for an unforgettable week of knowledge sharing, product training, networking, and fun. Atlassian Summit is Oct 10 - 13 in San Jose, CA – Register soon before tickets sell out.
Icon
Maintenance Notice: answers.atlassian.com will undergo maintenance on 24 Sep 2016, from 22:00 - 07:00 UTC. During this maintenance window, the service may be intermittently unavailable. See our status page for details.
 
3
2
1

We have Jira 5.x running in the standalone variant (embedded tomcat). We'd like to prevent any request without a valid http basic header from reaching the Jira application. Or, in other words, force JIRA to use HTTP Basic authentication. Yes, I know that transmitting http basic credentials over the wire without tls isn't secure and stuff, but we don't have an SSL certificate anyway, so that doesn't matter (it doesn't make it worse than it actually is).

I read that Jira handles HTTP Basic Authentication headers if it gets them, and appending ?os_authType=basic to the URL makes Jira behave as we wish, but we'd like Jira to enforce HTTP Basic. We wouldn't care if we had some kind of "even-before-jira" login statically configured in tomcat as long as the jira application wouldn't be reachable from outside without it.

Is there a way to achieve this?

I tried adding:

to jira's web.xml but that didn't help.

    CommentAdd your comment...

    2 answers

    1.  
      2
      1
      0

      Hi there

      Regarding the default JIRA settings, I believe that this option is available only using a custom seraph.config settings. Therefore, I believe that the following links could be useful:

      1. HTTP authentication with seraph > https://confluence.atlassian.com/display/CONF25/HTTP+authentication+with+Seraph

      2. Top ten tomcat configuration tips > http://oreilly.com/pub/a/java/archive/tomcat-tips.html?page=1

      Cheers,

      Paulo Renato

        CommentAdd your comment...
      1.  
        1
        0
        -1
        1. I don't understand this sentence: "Yes, I know that transmitting http basic credentials over the wire without tls isn't secure and stuff, but we don't have an SSL certificate anyway, so that doesn't matter (it doesn't make it worse than it actually is)."
        2. You could set up your own CA, and have the users have SSL Client Certificates, and set up your http server to only accept connections from recognized client certs. This way you kill two birds with one stone, as you'll get HTTPS set up, and protect your JIRA traffic from prying eyes. Cons: you'll have to also set up revocation services to kick out terminated users.

         

          CommentAdd your comment...