Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: None
Labels:
None

UIS:
3
Feedback Policy:

We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Description

Many SSO solutions integrate at the Tomcat layer by passing an authenticated user(name) to Tomcat. Inside the web application, this username is available through HttpServletRequest.getRemoteUser() and HttpServletRequest.getRemotePrincipal().

Stash should accept this username as already authenticated and transparently log the user in with that username.

Presumably, the SSO solution provides an external login page. Stash should redirect the user to a configurable login URL when authentication is required.

Likewise, when the user logs out in Stash, the SSO session should be terminated. The logout success URL should be configurable as well.

Finally, when a user has been authenticated using container managed authentication and the remoteUser name is no longer provided by the container, the user should be logged out of Stash.

Questions:

Are the login and logout URLs optional or required?
Can the Remote User be spoofed through HTTP headers? Most SSO integrations seem to rely on the AJP connector and not use the HTTP connector. Not sure whether that is for security reasons.
Can container managed authentication support be enabled out of the box, or should it be explicitly enabled by sysadmins? Related to the previous questions.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Michael Heemskerk (Inactive)

Votes:: 20 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: 20/Mar/2013 12:06 AM

Updated:: 20/Feb/2024 3:18 AM