Many SSO solutions integrate at the Tomcat layer by passing an authenticated user(name) to Tomcat. Inside the web application, this username is available through HttpServletRequest.getRemoteUser() and HttpServletRequest.getRemotePrincipal().

Stash should accept this username as already authenticated and transparently log the user in with that username.

Presumably, the SSO solution provides an external login page. Stash should redirect the user to a configurable login URL when authentication is required.

Likewise, when the user logs out in Stash, the SSO session should be terminated. The logout success URL should be configurable as well.

Finally, when a user has been authenticated using container managed authentication and the remoteUser name is no longer provided by the container, the user should be logged out of Stash.

Questions:

• Are the login and logout URLs optional or required?
• Can the Remote User be spoofed through HTTP headers? Most SSO integrations seem to rely on the AJP connector and not use the HTTP connector. Not sure whether that is for security reasons.
• Can container managed authentication support be enabled out of the box, or should it be explicitly enabled by sysadmins? Related to the previous questions.