you should be able to configure JIRA to login via HTTPS.

this is almost possible in 2.4.1. You can specify an https URL in security-config.xml as the login.url parameter. this makes loing links from e.g. the issue view page work correctly. a slight problem here is that the session remiains in the https scheme after the login.

but if a user goes directly to the JIRA welcome page, she is immediately presented with a login form. the URL for that form is hard coded, allowing only for variations in the context path.

This also can be hacked, by adding something like this to loginform.jsp:

<%
SecurityConfig cfg = (SecurityConfig) application.getAttribute(SecurityConfig.STORAGE_KEY);
String url;
if (cfg != null)

{ url = cfg.getLoginURL(); }

else

{ System.err.println("missing security config in servlet context"); url = request.getContextPath() + "/login.jsp"; }

%>
<form method="POST" action="<%= url %>" name="loginform">
...

the code could be abstracted into a tag, or something.

with these two fixes, I am apparently able to configure JIRA to use https to login. but there are a few problems, other than the overall hackishness of the above

1. after login, everything remains in https. JIRA would have to help out a bit by (say) redirecting to an http URL after a successful login.

2. while the direct login (i.e. the one on the welcome page) is secure, there is no indication of this on the page. I have no suggestions as to how to fix this.