Skip to end of metadata
Go to start of metadata
Table of Contents

As of JASIG CAS Client for Java 3.1.3, the distribution includes Atlassian Confluence and Jira support. Support is enabled by a custom CAS authenticator that extends the default authenticators.

WARNING: Use CAS Client for Java 3.3 or later for JIRA 4.3 or later. CAS Client for Java 3.1.x integration is broken for versions of JIRA 4.3 & later! See CASC-164 (Soulwing appears no better off, btw). This is fixed for version 3.3.0.

$JIRA_HOME Description

 

WAR/EAR Installation: <extracted archive directory>/webapp

/opt/atlassian/jira/atlassian-jira-enterprise-3.13.5/webapp

Standalone: <extracted archive directory>/atlassian-jira

/opt/atlassian/jira/atlassian-jira-enterprise-3.13.5-standalone/atlassian-jira

Modify the web.xml

Add the CAS Filters to the end of the filter list.
(info) See Configuring the Jasig CAS Client for Java in the web.xml for parameters

$JIRA_HOME/WEB-INF/web.xml
<!-- CAS:START - Java Client Filters -->
<filter>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
  <filter-name>CasAuthenticationFilter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://cas.institution.edu/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>https://jira.institution.edu/jira/</param-value>
  </init-param>
</filter>
<filter>
    <filter-name>CasValidationFilter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>https://cas.institution.edu/cas</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>https://jira.institution.edu/jira/</param-value>
    </init-param>
    <init-param>
        <param-name>redirectAfterValidation</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<!--- CAS:END -->

Don't Forget To Change the URLs

 

Before the login filter-mapping add:

$JIRA_HOME/WEB-INF/web.xml
<!-- CAS:START - Java Client Filter Mappings -->
<filter-mapping>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasAuthenticationFilter</filter-name>
    <url-pattern>/login.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasValidationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<!-- CAS:END -->

Add the Single Sign Out listener to the list of listener list too

$JIRA_HOME/WEB-INF/web.xml
<!-- CAS:START - Java Client Single Sign Out Listener -->
<listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- CAS:END -->

Modify the seraph-config.xml

To rely on the Single Sign Out functionality to sign off of Jira, comment out the normal logout URL and replace it with the CAS logout URL. Also, change the login links to point to the CAS login service.

$JIRA_HOME/WEB-INF/classes/seraph-config.xml
<init-param>
    <!--
      The login URL to redirect to when the user tries to access a protected resource (rather than clicking on
      an explicit login link). Most of the time, this will be the same value as 'link.login.url'.
    - if the URL is absolute (contains '://'), then redirect that URL (for SSO applications)
    - else the context path will be prepended to this URL

    If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested.
    This gives SSO login pages the chance to redirect to the original page
    -->
    <param-name>login.url</param-name>
    <!--<param-value>/login.jsp?os_destination=${originalurl}</param-value>-->
    <param-value>http://cas.institution.edu/cas/login?service=${originalurl}</param-value>
</init-param>
<init-param>
    <!--
      the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after
      trying to access a protected resource). Most of the time, this will be the same value as 'login.url'.
    - same properties as login.url above
    -->
    <param-name>link.login.url</param-name>
    <!--<param-value>/login.jsp?os_destination=${originalurl}</param-value>-->
    <!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>-->
    <param-value>http://cas.institution.edu/cas/login?service=${originalurl}</param-value>
</init-param>
<init-param>
    <!-- URL for logging out.
    - If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
    - If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
    -->
    <param-name>logout.url</param-name>
    <!--<param-value>/secure/Logout!default.jspa</param-value>-->
    <param-value>https://cas.institution.edu/cas/logout</param-value>
</init-param>

Don't Forget To Change the URLs

 
CAS Authenticator

Comment out the DefaultAuthenticator like so:

$JIRA_HOME/WEB-INF/classes/seraph-config.xml
<!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration -->
<!--
<authenticator class="com.atlassian.seraph.auth.DefaultAuthenticator"/>
-->
<!-- CROWD:END -->

And add in the JASIG CAS Jira Authenticator

For JIRA 4.4 or later:

$JIRA_HOME/WEB-INF/classes/seraph-config.xml
<!-- CAS:START - Java Client Jira Authenticator -->
<authenticator class="org.jasig.cas.client.integration.atlassian.Jira44CasAuthenticator"/>
<!-- CAS:END -->

For JIRA 4.3 or earlier:

$JIRA_HOME/WEB-INF/classes/seraph-config.xml
<!-- CAS:START - Java Client Jira Authenticator -->
<authenticator class="org.jasig.cas.client.integration.atlassian.JiraCasAuthenticator"/>
<!-- CAS:END -->
This page contains macros or features from a plugin which requires a valid license.

You will need to contact your administrator.

CAS Jar Libs

Copy cas-client-core-3.x.y.jar and cas-client-integration-atlassian-3.x.y.jar to $JIRA_HOME/WEB-INF/lib

Troubleshooting

Characters encoding

See Configuring Confluence with JASIG CAS Client for Java 3.1 Troubleshooting section

  • No labels

1 Comment

  1. Hey there

    I have done this in my test JIRA Enviroment and it is not working. Do I need to install and configure a cas server as well?