-
Suggestion
-
Resolution: Unresolved
-
None
-
7
-
Hi,
Recently we have installed Jira, Confluence (both server) and Bitbucket Data Center (5.2.2) at a client.
Zooming in on Bitbucket, we are using a PostgreSQL server which is shared between the other applications. The same goes for the file server. Our install directories are on the server disk and our home directory is mounted on the file server. Furthermore we are using the SSO plugin from resolution. So users via the GUI will be redirected to the IDP and rest api calls are not. (see picture below for an overview)
Ssh traffic (git operations) is also immediately forwarded to Bitbucket. We do not allow https cloning. Preferable we don't want to allow Basic Authentication at all. The new version of Bitbucket sounded like a good solution (with personal tokens) but I talked to Ada Chen (Atlassian) and she told us that we cannot disable basic authentication. And I also heard that personal tokens are not coming to Jira and Confluence (which. From a security perspective it would be great to be able to disable basic authentication and use personal tokens instead (for REST API calls) for all Atlassian applications.
Kind regards
Rudy Holtkamp (TMC)
This ticket has been created after request of Tiago Vitorino (tvitorino@atlassian.com)
[BSERV-10455] Ability to drop Basic Authentication and only use personal tokens
mheemskerk
Is it possible to use this same pattern to intercept JIRA basic auth requests, coding this same example in an Add-On? I see this uses the bitbucket HttpAuthenticationContext. Do you have any leads on if that's possible?
Brent Dowdy
added a comment - - edited mheemskerk
Is it possible to use this same pattern to intercept JIRA basic auth requests, coding this same example in an Add-On? I see this uses the bitbucket HttpAuthenticationContext. Do you have any leads on if that's possible? Hi rudy.holtkamp,
If you turn on HTTPS for git operations, you should be able to use LFS again. When using LFS with an ssh:// remote URL, the client retrieves the LFS HTTP url over SSH and then makes the LFS call(s) over HTTPS. The LFS urls use JWT authentication and not Basic auth, so your filter would let it through.
That's the theory at least. I haven't tested it locally though..
Hi mheemskerk, thanks for your answer.
A follow-up question about this. Suppose I write this plugin and turn on https for git operations again can I then use git LFS operations. Because with the current setup (allowing only ssh git operations) I can't use LFS.
rudy.holtkamp FYI. Basic auth is not supported for logging into the Web UI to begin with; it's only accepted for REST and git operations. If you don't want to support git operations over HTTP, you can turn it off under Admin > Server Settings.
But if you're willing to write a small plugin, you'll be able to turn off basic authentication completely. What you'll need to do is write a HttpAuthenticationHandler, and implement it as follows:
@Override
public ApplicationUser authenticate(@Nonnull HttpAuthenticationContext context) {
if (HttpAuthenticationContext.METHOD_BASIC.equals(context.getMethod())) {
throw new BasicAuthNotSupportedException(i18nService.createKeyedMessage("your.i18n.here"));
}
return null;
}
where BasicAuthNotSupportedException needs to be subclass of AuthenticationException.
Finally, register the auth handler in your atlassian-plugin.xml with a low enough weight that it's ordered before the built-in handlers (19 should be low enough):
<http-auth-handler key="crowdSsoAuthHandler" weight="19" class="com.your.package.NoMoreBasicAuthHttpHandler" captcha-support="false"/>
The captcha-support is to ensure that people don't accidentally get locked out when they (or a script) tries to use basic auth.
bdowdy,
The handler SPI described here is unique to Bitbucket Server and is not supported by Jira.
Best regards,
Bryan Turner
Atlassian Bitbucket