Authenticate Apache against JIRA

JIRA LogoA while back I explained in a post, how to setup Atlassian products behind an Apache with basic authentication using Apache’s user base. Although that can be quite handy to separate the user bases in some cases, it can be really annoying for users to have to authenticate twice. Once against the Apache user base, and after that against Atlassian’s. So I started to find out, how to get Apache to authenticate against Atlassian’s user base only – namely JIRA.

Searching for Apache and JIRA authentication integration doesn’t really return much. Most of the postings are about Atlassian’s Crowd product that implements Single Sign On (SSO) and seems to be a valid option. But since I only own an expired Starter-License for JIRA, Confluence and Fisheye and don’t want to spend another license for Crowd, that wasn’t an option for me.

Somehow I had in my mind, that JIRA is often called JIRA/Crowd in Atlassian’s documentation. Also Confluence and Fisheye can be configured to authenticate against JIRA – without Crowd. Then I also stumbled across their Apache Crowd Connector and thought, maybe JIRA also offers that kind of Crowd authentication code. So I started to dig deeper and finally found a way to get it work – without a separate Crowd installation!

First, you have to install the Apache Crowd Connector as described in the documentation link above. Depending on your operating system, you might have to build the connector by yourself. So you have to follow the build instructions in the documentation. Note, that this connector only works with Apache 2.2! So if you’re running 2.4, like me, you have to apply additional patches to get things done. As it seems that Atlassian does not support that Connector any longer. Sadly, there exist only two pull requests (PR1 and PR2) that add 2.4 support but haven’t been merged into the main code base yet. And most likely never will due to the expiring support this year.

So to build a working connector for 2.4, you have to download the source code for the 2.2 version and apply one of the pull requests. I tried the PR2 and it built sucessfully on my Ubuntu 14.04 box. So I can’t tell you if PR1 is also working correctly. After the build, you can copy the resulting to your apache modules directory and enable it by adding an appropriate .load script to mods-enabled dir.

After the installation of the module is finished, you have to add the Crowd authentication to e.g. your <Location> directive like so:

AuthName "Atlassian Crowd"
AuthType Basic
AuthBasicProvider crowd
CrowdAppName apache
CrowdAppPassword mysecretpassword
Require valid-user

Note, that this might won’t work within a .htaccess file, like mentioned in the docs somewhere. But I didn’t tried that by myself.

The CrowdURL must point to the root of your JIRA installation. In this example, JIRA runs on a tomcat with jira as context root. The CrowdAppName and CrowdAppPassword settings reference the “Other Application Links” within JIRA’s User Server section. There you have to create an additonal entry, e.g. with the name “apache” and “mysecretpassword” as the password.

After going through the steps mentioned above, you should now have a running Apache authentication against the JIRA user base! And if you have configured other Atlassian products like Confluence or Fisheye, you now have to authenticate only once to access all products!

I’ve tried to above configuration against a JIRA 5.1.3 Server with Apache 2.4, running on a Ubuntu 14.04 server. If you can confirm that it works for a different setup, please let me know!