Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-3239

Support container managed authentication

    XMLWordPrintable

    Details

    • Type: Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • UIS:
      28
    • Feedback Policy:
      We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      Many SSO solutions integrate at the Tomcat layer by passing an authenticated user(name) to Tomcat. Inside the web application, this username is available through HttpServletRequest.getRemoteUser() and HttpServletRequest.getRemotePrincipal().

      Stash should accept this username as already authenticated and transparently log the user in with that username.

      Presumably, the SSO solution provides an external login page. Stash should redirect the user to a configurable login URL when authentication is required.

      Likewise, when the user logs out in Stash, the SSO session should be terminated. The logout success URL should be configurable as well.

      Finally, when a user has been authenticated using container managed authentication and the remoteUser name is no longer provided by the container, the user should be logged out of Stash.

      Questions:

      • Are the login and logout URLs optional or required?
      • Can the Remote User be spoofed through HTTP headers? Most SSO integrations seem to rely on the AJP connector and not use the HTTP connector. Not sure whether that is for security reasons.
      • Can container managed authentication support be enabled out of the box, or should it be explicitly enabled by sysadmins? Related to the previous questions.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            mheemskerk Michael Heemskerk
            Votes:
            20 Vote for this issue
            Watchers:
            12 Start watching this issue

              Dates

              Created:
              Updated:

                Backbone Issue Sync

                • Backbone Issue Sync is enabled for your project, but there is no synchronization info for this issue.