|
Bill,
maybe I'm missing something but the solution at http://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS Cheers Mark C There is a comment at the bottom of that page that says: "!)There does not seem to be an easy way to make subsequent pages revert to HTTP after logging in via HTTPS - see
Basically, here's what I want: 1. user goes to wiki homepage (http) I followed the directions on that page and it actually broke our wiki completely. Backing out of those specific changes restored everything. I'll need to dig into this some more. But, from the comment on that page, it seems as though confluence won't work the way I want? should it? Thanks! I just downloaded a clean version of Confluence (standalone) and followed all of the following steps:
1. install and check to make sure it works. OK! 3. check to make sure it works – it does. OK! Both http (8080) and http (8443) work. 4. follow steps under the heading: "Requiring HTTPS for certain pages" This kills the server. Neither 8080 or 8443 work. Both report: HTTP Status 404 - / ? Bill,
Works for me with JIRA Standalone. Please could you create a new issue on https://support.atlassian.com Cheers, I've been looking into how to do this for our installation, as we want SSL for login but don't like the performance hit for viewing other pages. We are running behind apache, so I'd like a solution that works in that configuration.
Some interesting sites regarding this: and the "How can I switch between HTTP and HTTPS in relative hyperlinks?" question on Protecting only the login page is not a huge security gain if cookies are use to automatically log one in. I've added some thoughts to a related issue, "Restrict cookie-based login to SSL users":
I'm having a hard time remembering any SSL site that has a "remember me" function. To me it is a completely acceptable solution to have an administrative option to disable the "remember me" function if one wants to use SSL just for the login. Furthermore, the modern web browsers will all auto remember the login and password fields for you, so if you don't have the "remember me" function it is only one "extra" click for a user to gain access.
In JIRA 3.4.x there is a 'jira.option.allowcookies' property that can be set in jira-application.properties.
Assuming JIRA had a cookie handling option: Cookie-based login: Would that keep people happy? Is anyone actually after the original subject of this issue, redirecting from https to http? Yes, I am after the redirection from https to http.
In an ideal setup (for me) I'd like to see this:
What I meant by my prior comment is that as long as the above can happen I don't care whether or not the user gets to use a cookie for login (if they do then great, but if not it isn't a big deal). In addition to the above setup, I can imagine there are clients who would like all pages to served via HTTPS. This may be possible with the UrlRewriteFilter in JIRA (configured in WEB-INF/urlrewrite.xml).
I am interesting in this option of "Force only login pages to HTTPS and then revert everything back to HTTP".
Can you look into this and suggest a workaround until an elegant solution s found. This seems like it should be an important thing to resolve. I too would like SSL on just the login screen to protect the password.
I haven't fully tested this yet, but here is a possible workaround:
The above will at least ensure that the user's password is sent using HTTPS. All other communication between the browser and server are unencrypted, including session cookies, login cookies, password change forms, etc. So this workaround only represents a small solution to the large problem of improving JIRA/Confluence security without simply requiring full SSL for all URLs. This is the way lot's of sites work. The reason for the client redirect is to prevent the browser from warning the user about the redirect from HTTPS to HTTP. The other alternative, which Amazon seems to use, is to make sure that when the login is complete, all of the links on the next page are absolute, so any click will bring the user back to HTTP. Thanks for the input. We'll take a look if we can do something about it
Also, in the loginfform.jsp file the os_destination hidden input needs to be modified to redirect the user over HTTPS to the redirect-to-http.jsp page. This will keep the os_destination functioning while keep the browser mostly happy. The problem with the line below is that it acts strange when the user mistypes their password. I haven't had time to fix it.
<input type="hidden" name="os_destination" value="https://<%= request.getServerName() %><%= request.getContextPath() %>/redirect-to-http.jsp?os_destination=<%= (request.getParameter("os_destination") == null ? "/secure/" : TextUtils.htmlEncode(request.getParameter("os_destination"))) %>"> The Yahoo way, which is I think a pretty good solution is to...
Thanks to Andrew over on the Confluence side of this issue http://jira.atlassian.com/browse/CONF-4116
 here is a clean method using mod_rewrite...
1) Change the action URL in /includes/loginform.jsp to send the password over HTTPS. https://jira.sln.suny.edu<%= request.getContextPath() %>/login.jsp
2) Create a file /redirect-to-http.jsp, that redirects the user to HTTP via JavaScript, so browser won't complain about the HTTPS to HTTP switch. <% final String redirectURL = request.getParameter("redirect-to"); %> <html> <head> <script language="JavaScript"> window.location.replace("<%= redirectURL %>"); </script> <meta http-equiv="Refresh" content="0; url=<%= redirectURL %>"> </head> <body> <a href="<%= redirectURL %>">Please, click here if not automatically redirected within a few seconds...</a> </body> </html> 3) Create a mod_rewrite rule to send users to the redirect page when they shouldn't be using HTTPS. <VirtualHost 12.34.56.78:443>
ServerName jira.myserver.com
RewriteEngine On
# Force all non-login pages back to non-SSL
RewriteCond %{REQUEST_URI} !^/redirect-to-http.jsp
RewriteCond %{REQUEST_URI} !^/login.jsp
RewriteCond %{REQUEST_URI} !^/images/
RewriteCond %{REQUEST_URI} !^/download/userResources/logo
RewriteCond %{REQUEST_URI} !\.(css|js)$
RewriteRule (.*) https://jira.myserver.com/redirect-to-http.jsp?redirect-to=http://jira.myserver.com$1 [R,L]
...
</VirtualHost>
...that should keep all interactions with login.jsp under HTTPS, while bouncing the user back to HTTP for other pages, without an annoying browser warning. I think Bernard's answer pretty much covers this.
Can you provide a solution for tomcat? I believe the mod_rewrite rule above can only be applied to Apache. Thanks.
Not resolved IMHO! The solution in http://jira.atlassian.com/browse/CONF-4116
requires apache to handle confluence requests, which is not what one should want. Here's what I did without apache:
Modified WEB-INF/urlrewrite.xml by adding the following rule: <urlrewrite> <rule> <name>Force all non-login pages back to non-SSL</name> <note>Assumes JIRA is running under context /jira</note> <condition type="scheme" operator="equal">https</condition> <condition type="request-uri" operator="notequal">/jira/redirect-to-http.jsp</condition> <condition type="request-uri" operator="notequal">/jira/login.jsp</condition> <condition type="request-uri" operator="notequal">/jira/images/.*</condition> <condition type="request-uri" operator="notequal">.*\.css</condition> <condition type="request-uri" operator="notequal">.*\.js</condition> <!-- 'from' url's are relative to the context. --> <from>(.*)</from> <to type="redirect" last="true">/jira/redirect-to-http.jsp?redirect-to=$1</to> </rule> ... Modified the following filter mapping in WEB-INF/web.xml : <filter-mapping> <filter-name>UrlRewriteFilter</filter-name> <!-- <url-pattern>/secure/IssueNavigator.jspa</url-pattern> --> <url-pattern>/*</url-pattern> </filter-mapping> My /redirect-to-http.jsp is a little different, but same idea. I did almost the same for Confluence, except I had to download urlrewrite-2.6.0.jar to WEB-INF\lib and create WEB-INF/urlrewrite.xml with one rule with similar settings. One catch though, the "from" pattern has to be ^(.*)$ because otherwise I got strange results. The following seems to have stopped working in Jira 3.13:
1) Change the action URL in /includes/loginform.jsp to send the password over HTTPS. https://jira.sln.suny.edu Can anyone suggest another method to redirect the login page (only) to HTTPS? Something to consider for anyone thinking that just using SSL on the login page will offer a reasonable level of security: Why you need https everywhere
(from Hello T Marshall,
The login page is now rendered in two different ways. In addition to the change above you will need to:
This should get Jira redirecting to the correct login page. I am not sure if the URL rewriting still works. I'll leave this as an exercise for the reader. Hope this helps, Hi ,
Did the below mentioned changes and were able to implement HTTPS for just login page for JIRA.This was implemented in 3.13 1) Create a JSP page named "redirect-to-http.jsp" that redirects the user to HTTP via JavaScript, so browser won't complain about the HTTPS to HTTP switch. <% <html> <meta http-equiv="Refresh" content="0; url=<%= redirectURL %>"> 2.)Modify the following lines in the file "/atlassian-jira/includes/loginform.jsp" with the text as specified below: <form method="POST" action="{https url}<%= request.getContextPath() %>/login.jsp" name="loginform">
<input type="hidden" name="os_destination" value="http://<%= request.getServerName() %>:{http port}<%= request.getContextPath() %>/redirect-to-http.jsp?os_destination=<%= (request.getParameter("os_destination") == null ? "/secure/Dashboard.jspa" : TextUtils.htmlEncode(request.getParameter("os_destination"))) %>"> 3. Modify the following lines in the file "/atlassian-jira-enterprise-3.13-standalone/atlassian-jira//login.jsp" with the text as specified below: if (request != null) { response.sendRedirect(request.getContextPath() + "login.jsp"); return; } |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Improvement
Resolved
Major
Support for redirecting from HTTPS to HTTP
Allow ( ) Only for SSL ( ) Disable
Is there any workaround?