Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-10455

Ability to drop Basic Authentication and only use personal tokens

    • 7
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Hi,

      Recently we have installed Jira, Confluence (both server) and Bitbucket Data Center (5.2.2) at a client. 
      Zooming in on Bitbucket, we are using a PostgreSQL server which is shared between the other applications. The same goes for the file server. Our install directories are on the server disk and our home directory is mounted on the file server. Furthermore we are using the SSO plugin from resolution. So users via the GUI will be redirected to the IDP and rest api calls are not. (see picture below for an overview)
       
      Ssh traffic (git operations) is also immediately forwarded to Bitbucket. We do not allow https cloning. Preferable we don't want to allow Basic Authentication at all. The new version of Bitbucket sounded like a good solution (with personal tokens) but I talked to Ada Chen (Atlassian) and she told us that we cannot disable basic authentication. And I also heard that personal tokens are not coming to Jira and Confluence (which. From a security perspective it would be great to be able to disable basic authentication and use personal tokens instead (for REST API calls) for all Atlassian applications. 
       

       
      Kind regards
      Rudy Holtkamp (TMC)
      This ticket has been created after request of Tiago Vitorino (tvitorino@atlassian.com)

            [BSERV-10455] Ability to drop Basic Authentication and only use personal tokens

            bdowdy,

            The handler SPI described here is unique to Bitbucket Server and is not supported by Jira.

            Best regards,
            Bryan Turner
            Atlassian Bitbucket

            Bryan Turner (Inactive) added a comment - bdowdy , The handler SPI described here is unique to Bitbucket Server and is not supported by Jira. Best regards, Bryan Turner Atlassian Bitbucket

            Brent Dowdy added a comment - - edited

            mheemskerk
            Is it possible to use this same pattern to intercept JIRA basic auth requests, coding this same example in an Add-On? I see this uses the bitbucket HttpAuthenticationContext. Do you have any leads on if that's possible?

            Brent Dowdy added a comment - - edited mheemskerk Is it possible to use this same pattern to intercept JIRA basic auth requests, coding this same example in an Add-On? I see this uses the bitbucket HttpAuthenticationContext. Do you have any leads on if that's possible?

            Thanks, when we've tested it, I will report back.

            Rudy Holtkamp added a comment - Thanks, when we've tested it, I will report back.

            Hi rudy.holtkamp,

            If you turn on HTTPS for git operations, you should be able to use LFS again. When using LFS with an ssh:// remote URL, the client retrieves the LFS HTTP url over SSH and then makes the LFS call(s) over HTTPS. The LFS urls use JWT authentication and not Basic auth, so your filter would let it through.

            That's the theory at least. I haven't tested it locally though..

            Michael Heemskerk (Inactive) added a comment - Hi rudy.holtkamp , If you turn on HTTPS for git operations, you should be able to use LFS again. When using LFS with an ssh:// remote URL, the client retrieves the LFS HTTP url over SSH and then makes the LFS call(s) over HTTPS. The LFS urls use JWT authentication and not Basic auth, so your filter would let it through. That's the theory at least. I haven't tested it locally though..

            Hi mheemskerk, thanks for your answer.
            A follow-up question about this. Suppose I write this plugin and turn on https for git operations again can I then use git LFS operations. Because with the current setup (allowing only ssh git operations) I can't use LFS.

            Rudy Holtkamp added a comment - Hi mheemskerk , thanks for your answer. A follow-up question about this. Suppose I write this plugin and turn on https for git operations again can I then use git LFS operations. Because with the current setup (allowing only ssh git operations) I can't use LFS.

            rudy.holtkamp FYI. Basic auth is not supported for logging into the Web UI to begin with; it's only accepted for REST and git operations. If you don't want to support git operations over HTTP, you can turn it off under Admin > Server Settings.

            But if you're willing to write a small plugin, you'll be able to turn off basic authentication completely. What you'll need to do is write a HttpAuthenticationHandler, and implement it as follows:

                @Override
                public ApplicationUser authenticate(@Nonnull HttpAuthenticationContext context) {
                    if (HttpAuthenticationContext.METHOD_BASIC.equals(context.getMethod())) {
                        throw new BasicAuthNotSupportedException(i18nService.createKeyedMessage("your.i18n.here"));
                    }
                    return null;
                }
            

            where BasicAuthNotSupportedException needs to be subclass of AuthenticationException.

            Finally, register the auth handler in your atlassian-plugin.xml with a low enough weight that it's ordered before the built-in handlers (19 should be low enough):

            <http-auth-handler key="crowdSsoAuthHandler" weight="19" class="com.your.package.NoMoreBasicAuthHttpHandler"
                               captcha-support="false"/>
            

            The captcha-support is to ensure that people don't accidentally get locked out when they (or a script) tries to use basic auth.

            Michael Heemskerk (Inactive) added a comment - - edited rudy.holtkamp FYI. Basic auth is not supported for logging into the Web UI to begin with; it's only accepted for REST and git operations. If you don't want to support git operations over HTTP, you can turn it off under Admin > Server Settings. But if you're willing to write a small plugin, you'll be able to turn off basic authentication completely. What you'll need to do is write a HttpAuthenticationHandler , and implement it as follows: @Override public ApplicationUser authenticate(@Nonnull HttpAuthenticationContext context) { if (HttpAuthenticationContext.METHOD_BASIC.equals(context.getMethod())) { throw new BasicAuthNotSupportedException(i18nService.createKeyedMessage( "your.i18n.here" )); } return null ; } where BasicAuthNotSupportedException needs to be subclass of AuthenticationException . Finally, register the auth handler in your atlassian-plugin.xml with a low enough weight that it's ordered before the built-in handlers (19 should be low enough): <http-auth-handler key= "crowdSsoAuthHandler" weight= "19" class= "com.your.package.NoMoreBasicAuthHttpHandler" captcha-support= "false" /> The captcha-support is to ensure that people don't accidentally get locked out when they (or a script) tries to use basic auth.

              Unassigned Unassigned
              73598c92e650 Rudy Holtkamp
              Votes:
              6 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated: