Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-39140

JIRA Seraph Config Settings are not Respected

    XMLWordPrintable

Details

    Description

      The default login page (http://jira-address.com/login.jsp) is shown or linked to when it should redirect the user to the SSO login page defined in the seraph-config.xml file.

      Steps to Reproduce:

      1. Configure the seraph-config.xml file as below:
                    <!--
                      The login URL to redirect to when the user tries to access a protected resource (rather than clicking on
                      an explicit login link). Most of the time, this will be the same value as 'link.login.url'.
                        - if the URL is absolute (contains '://'), then redirect that URL (for SSO applications)
                        - else the context path will be prepended to this URL
        
                        If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested.
                        This gives SSO login pages the chance to redirect to the original page
                    -->
                    <param-name>login.url</param-name>
                    <!--><param-value>/login.jsp?permissionViolation=true&amp;os_destination=${originalurl}</param-value>-->
                    <param-value>http://my-custom-sso.com/login.jspa?redirectTo=${originalurl}</param-value>
                </init-param>
                <init-param>
                    <!--
                      the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after
                      trying to access a protected resource). Most of the time, this will be the same value as 'login.url'.
                        - same properties as login.url above
                    -->
                    <param-name>link.login.url</param-name>
                    <!--><param-value>/login.jsp?os_destination=${originalurl}</param-value>-->
                    <!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>-->
                    <param-value>http://my-custom-sso.com/login.jspa?redirectTo=${originalurl}</param-value>
                </init-param>
                <init-param>
        
      2. Start JIRA;
      3. This behavior can be seen with the following, but is likely to be shown in different use cases as well:
        • Using a mobile device.
        • When JIRA's sessions expire, clicking on the "Log back in" link.
        • If you have two tabs open and click the "Log out" link in both, the second tab takes you to an "Already logged out" page with a bad "Log in again" link.
        • Using the Issue Navigator with JQL while logged out.
        • Opening an attachment from Jira Service Desk while logged out.
        • Opening an issue while on the <BaseURL>/projects/<ProjectKey>/issues page.

      Expected Behavior

      Any requests to the http://jira-address.com/login.jsp URL should be directed to the SSO URL defined in the seraph configuration.

      Actual Behavior

      Following the steps above, the http://jira-address.com/login.jsp page is shown. The http://jira-address.com/login.jsp page can also be accessed directly from the browser (without having to be redirected there)

      Workarounds

      Redirect requests for the login page using a proxy rewrite rule. Here is an example for Apache ModRewrite:

      RewriteEngine On
      RewriteCond %
      {QUERY_STRING}
      (?:^|&)os_destination=(.+?)(?:$|&)
      RewriteRule ^/login.jsp$ YOUR_SSO_LOGIN_URL [NE,L,R=301]
      

      In conjunction with this, disable the Login Gadget so it does not appear in Dashboards. The System Dashboards is visible without login so it is necessary to remove the gadget.

      1. Edit the file <JIRA_HOME_DIR>/jira-config.properties (create an empty file with this name if it does not exist)
      2. Add this line to the file:
        jira.disable.login.gadget=true
        
      3. Save the file and restart JIRA

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              mfernandes@atlassian.com Matheus Fernandes
              Votes:
              56 Vote for this issue
              Watchers:
              69 Start watching this issue

              Dates

                Created:
                Updated: