-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
6.1.9, 6.2.7, 6.3.13, 7.1.6, 7.1.7, 8.5.1, 8.8.1
-
6.01
-
47
-
Severity 3 - Minor
-
4
-
The default login page (http://jira-address.com/login.jsp) is shown or linked to when it should redirect the user to the SSO login page defined in the seraph-config.xml file.
Steps to Reproduce:
- Configure the seraph-config.xml file as below:
<!-- The login URL to redirect to when the user tries to access a protected resource (rather than clicking on an explicit login link). Most of the time, this will be the same value as 'link.login.url'. - if the URL is absolute (contains '://'), then redirect that URL (for SSO applications) - else the context path will be prepended to this URL If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested. This gives SSO login pages the chance to redirect to the original page --> <param-name>login.url</param-name> <!--><param-value>/login.jsp?permissionViolation=true&os_destination=${originalurl}</param-value>--> <param-value>http://my-custom-sso.com/login.jspa?redirectTo=${originalurl}</param-value> </init-param> <init-param> <!-- the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after trying to access a protected resource). Most of the time, this will be the same value as 'login.url'. - same properties as login.url above --> <param-name>link.login.url</param-name> <!--><param-value>/login.jsp?os_destination=${originalurl}</param-value>--> <!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>--> <param-value>http://my-custom-sso.com/login.jspa?redirectTo=${originalurl}</param-value> </init-param> <init-param>
- Start JIRA;
- This behavior can be seen with the following, but is likely to be shown in different use cases as well:
- Using a mobile device.
- When JIRA's sessions expire, clicking on the "Log back in" link.
- If you have two tabs open and click the "Log out" link in both, the second tab takes you to an "Already logged out" page with a bad "Log in again" link.
- Using the Issue Navigator with JQL while logged out.
- Opening an attachment from Jira Service Desk while logged out.
- Opening an issue while on the <BaseURL>/projects/<ProjectKey>/issues page.
Expected Behavior
Any requests to the http://jira-address.com/login.jsp URL should be directed to the SSO URL defined in the seraph configuration.
Actual Behavior
Following the steps above, the http://jira-address.com/login.jsp page is shown. The http://jira-address.com/login.jsp page can also be accessed directly from the browser (without having to be redirected there)
Workarounds
Redirect requests for the login page using a proxy rewrite rule. Here is an example for Apache ModRewrite:
RewriteEngine On RewriteCond % {QUERY_STRING} (?:^|&)os_destination=(.+?)(?:$|&) RewriteRule ^/login.jsp$ YOUR_SSO_LOGIN_URL [NE,L,R=301]
In conjunction with this, disable the Login Gadget so it does not appear in Dashboards. The System Dashboards is visible without login so it is necessary to remove the gadget.
- Edit the file <JIRA_HOME_DIR>/jira-config.properties (create an empty file with this name if it does not exist)
- Add this line to the file:
jira.disable.login.gadget=true
- Save the file and restart JIRA
- is duplicated by
-
JRASERVER-34916 Login links on Issue Navigator page are not using link.login.url from seraph-config.xml
- Closed
-
JRASERVER-38782 JIRA Issue Navigator does not respect login.url or link.login.url parameters defined in seraph-config.xml
- Closed
- is related to
-
JRASERVER-36248 As a JIRA Administrator, I'd like to force all users to authenticate to the SSO before seeing any pages in JIRA
- Gathering Interest
-
JRASERVER-65521 Add possibility to disable public access to JIRA
- Under Consideration
-
JSEV-1206 Loading...