Currently, the RPC/SOAP interface allows a user to remotely login and returns a token upon successful authentication. This token is issued by the TokenManager plugin module. Unfortunately, this token is only useful for accessing the RPC/SOAP interface. It would be useful to also use this token to log into Jira's web interface. I have written a LoginFilter that does this. Unfortuately, because the Authenticator.Login() method requires a username/password to login, it prevents me from using the following code since I don't have a password any longer, only a username:

securityConfig.getAuthenticator().login(request, response, user.getName(), "password", persistentLogin);

Ideally, the TokenManager would depend on the Authenticator to issue the token (TokenManager would no longer be needed then). Then, the LoginFilter could login the user with a method similar to:

securityConfig.getAuthenticator().tokenLogin(request, response, token, persistentLogin);

Because this capability isn't available, I had to write code like the following in my LoginFilter:

TokenManager tokenManager = this.getTokenManager();
if(null != tokenManager)
{
user = tokenManager.retrieveUser(token);
if(null != user)

{ request.getSession().setAttribute(com.atlassian.seraph.auth.DefaultAuthenticator.LOGGED_IN_KEY, user); request.getSession().setAttribute(com.atlassian.seraph.auth.DefaultAuthenticator.LOGGED_OUT_KEY, null); }

}

This is a hack since it depends on Jira using the default authenticator as well as requiring knowledge of the internal workings of the class.