Trusted Applications authentication is no longer the authentication type we recommend. This page is retained for legacy purposes.

We recommend using OAuth authentication when creating an application link. You can obtain an identical configuration to Trusted Apps authentication by using OAuth, and selecting the 2-Legged OAuth with Impersonation option.

 

The instructions on this page describe how to configure Trusted Applications for an application link. You can configure outgoing authentication (authentication of requests sent from this application to a linked application) and/or incoming authentication (authentication of requests coming from a linked application into this application).

Trusted Applications authentication allows one application to allow access to specified functions on another application on behalf of any user, without the user having to log into the second application. For example, if you configure a JIRA server to trust a Confluence server, every Confluence user will see exactly the same list of issues when they view the Confluence 'JIRA Issues' macro as they see when they use the JIRA issue navigator as a logged-in JIRA user.

A typical scenario is setting up an application link between two applications which trust each other, have the same set of users and both have the application links plugin installed. In this case, you would configure Trusted Applications for both outgoing authentication and incoming authentication. See Configuring authentication for an application link for other configurations.

On this page:

  • Trusted applications are a potential security risk. When you configure Trusted Applications authentication, you are allowing one application to access another as any user. This allows all of the built-in security measures to be bypassed. Do not configure a trusted application unless you know that all code in the application you are trusting will behave itself at all times, and you are sure that the application will maintain the security of its private key.
  • Only use Trusted Applications authentication if both your servers have the same set of users and the servers fully trust each other.

  • The instructions below assume that both of the applications that you are linking have the Application Links plugin installed. If the remote application that you are linking to supports Trusted Applications, but does not have the Application Links plugin installed, you will need to configure Trusted Applications from within the remote application (see the relevant administrator's documentation for the application) in addition to configuring the outgoing/incoming authentication for the application link (as described below).

Configuring outgoing Trusted Applications authentication will allow the remote application to trust your local application (i.e. allow your application to access specified functions and data on the remote application).

  1. Log in as a system administrator and go to the administration page. Click Application Links in the administration menu. The 'Configure Application Links' page will appear, showing the application links that have been set up.
  2. Click Configure for the application link that you want to configure Trusted Applications authentication.
  3. Click the Outgoing Authentication tab (the Trusted Applications tab will be displayed).
  4. Log in to the remote application, if necessary, using credentials for the remote server.
  5. Configure the settings for the Trusted Applications authentication according to the table below.
  6. Click Apply.

Configuring incoming Trusted Applications authentication will allow your local application to trust the remote application that you are linking it to (i.e. allow your 'trusted' remote application to access specified functions and data on your local application).

  1. Log in as a system administrator and go to the administration page. Click Application Links in the administration menu. The 'Configure Application Links' page will appear, showing the application links that have been set up.
  2. Click Configure for the application link that you want to configure Trusted Applications authentication.
  3. Click the Incoming Authentication tab (the Trusted Applications tab will be displayed).
  4. Use the Modify or Configure buttons and configure Trusted Applications authentication according to the table below.
  5. Click Apply.

 

IP Patterns

IP addresses (IPv4 only) from which the local application will accept requests. Use commas or spaces to separate m

Specify wildcard matches using an asterisk (*), e.g. 192.111.*.* (but you can't use netmasks to specify network ranges).


(warning) If you are setting up Trusted Applications between two applications that both have the Application Links plugin installed, you can leave this field blank (or explicitly use *.*.*.*).

However, if your remote application does not have the Application Links plugin installed and you are configuring the IP Patterns in the remote application (not the Application Links plugin), you must not leave this field blank nor use *.*.*.* . Failure to configure IP address restrictions in this scenario is a security vulnerability, allowing an unknown site to log into your site under a user's login ID.


Consider the following scenarios, if you want to limit access by using this field:

  • If the remote application is using a proxy server, you need to add the proxy server's IP address to this field.
  • If the remote application is a clustered instance of Confluence, you need to accept requests from each cluster node, otherwise Confluence users may not be able to view any data from your application. Either specify the IP address for each node of the cluster (e.g. 172.16.0.10, 172.16.0.11, 172.16.0.12), or specify the IP address for your clustered Confluence instance using wildcards (e.g. 172.16.0.*).
URL Patterns

Enter the local application URLs that the remote application will be allowed to access – each URL corresponds to a particular application function.

Enter one URL per line. as follows:

/plugins/servlet/streams

/sr/jira.issueviews:searchrequest

/secure/RunPortlet

/rest

/rpc/soap

/plugins/servlet/streams

/plugins/servlet/applinks/whoami

/rpc/xmlrpc

Certificate Timeout (ms)

Enter a certificate timeout value. The default is 10 seconds – you should not have to change this for most application links.

The certificate timeout helps to prevent replay attacks. For example, if a Trusted Applications request is intercepted and (maliciously) re-sent more than the certificate timeout period after the initial request, it will be rejected. Note that the certificate timeout relies on the clocks on both servers being synchronized.

Configuring Basic HTTP authentication for an application link
Configuring OAuth authentication for an application link

  • No labels
 




 

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.