Documentation for JIRA 4.4. Documentation for other versions of JIRA is available too.

Skip to end of metadata
Go to start of metadata

The instructions on this page describe how to configure Trusted Applications for outgoing authentication and/or incoming authentication of an application link.

Trusted Applications authentication allows one Atlassian application access to specified functions and data in another Atlassian application on behalf of any user. The user only needs to log in to one application, without needing to log in to the other. For this authentication to succeed, however, the user must have an account on both applications with the same user name.

For example, if Trusted Applications authentication were configured between a JIRA server and a Confluence server and every user had the same user name on both servers, any of these users (logged in only to Confluence) will see same list of issues in a Confluence 'JIRA Issues' macro as they would through the JIRA Issue Navigator when logged in to JIRA independently. This includes issues restricted from public view, which these users have permission to view.

If you were setting up an application link between two trusted applications which have the same set of users and user names (and both applications have the application links plugin installed), you would typically configure Trusted Applications for both outgoing authentication and incoming authentication. See Configuring Authentication for an Application Link for other configurations.

On this page:

(warning) The information on this page does not apply to JIRA OnDemand.

  • Trusted applications are a potential security risk. When you configure Trusted Applications authentication, you are allowing one application to access another as any user. This allows all of the built-in security measures to be bypassed. Do not configure a trusted application unless you know that all code in the application you are trusting will behave itself at all times, and you are sure that the application will maintain the security of its private key.

  • The instructions below assume that both of the applications you are linking have the Application Links plugin installed. If the remote application that you are linking to supports Trusted Applications, but does not have the Application Links plugin installed, you will need to configure Trusted Applications from within the remote application (see the relevant administrator's documentation for the application) in addition to configuring the outgoing/incoming authentication for the application link (as described below).
  • You must be a JIRA system administrator to configure Trusted Applications authentication for an application link.

Configuring outgoing Trusted Applications authentication will allow JIRA to access functions and data on a remote application, on behalf of a user whose user names are the same on both applications.

To configure Trusted Applications authentication for an outgoing application link:

  1. Log in as a system administrator and go to the administration page. Click 'Application Links' in the administration menu. The 'Configure Application Links' page will appear, showing the application links that have been set up.
  2. Click the 'Configure' link next to the application link that you want to configure Trusted Applications authentication for.
  3. Click the 'Outgoing Authentication' tab. The outgoing authentication page will show, with the 'Trusted Applications' tab displayed.
  4. If you are not currently logged into the remote application (or you logged into the remote application under a variant of the application's hostname, e.g. the IP address), a login dialogue will display.
    • Enter the 'Username' and 'Password' for the remote server, (not your local server), and click the 'Login' button. You need to enter the credentials for the remote server, as the remote server needs to be instructed to trust your local server for the Trusted Applications protocol to work. If you are already logged into your remote server, then the appropriate changes can be made without having to log in again.
  5. Configure the settings for the Trusted Applications authentication:
    • 'IP Patterns' — Enter the IP addresses (IPv4 only) from which the remote application will accept requests (this effectively is the IP address your local server). You can specify wildcard matches by using an asterisk (*), e.g. '192.111.*.*' (note, you cannot use netmasks to specify network ranges). If you are entering multiple IP addresses, separate them with commas or spaces.
      (warning) Please note, if you are setting up Trusted Applications between two applications that both have the Application Links plugin installed, you can leave this field blank (or explicitly use *.*.*.*). However, if your remote application does not have the Application Links plugin installed and you are configuring the IP Patterns in the remote application (not the Application Links plugin), you must not leave this field blank nor use *.*.*.*. Failure to configure IP address restrictions in this scenario is a security vulnerability, allowing an unknown site to log into your site under a user's login ID.
      Consider the following scenarios, if you want to limit access by using this field:
      • If your local application is using a proxy server, you need to add the proxy server's IP address to this field.
      • If your local application is a clustered instance of Confluence, you need to configure the remote server to accept requests from each cluster node. If you do not set up each node appropriately, your Confluence users may not be able to view any information from the remote server. You can set this up by either specifying each individual IP address for each node of the cluster (e.g. 172.16.0.10, 172.16.0.11, 172.16.0.12), or specifying the IP address for the clustered Confluence instance using wildcards (e.g. 172.16.0.*).
    • 'URL Patterns' — Enter the URLs in the remote application that your local application will be allowed to access. Each URL corresponds to a particular application function. Enter one URL per line, as follows:
      • If your remote application is JIRA, enter the following URL Patterns: /plugins/servlet/streams, /sr/jira.issueviews:searchrequest, /secure/RunPortlet, /rest, /rpc/soap
      • If your remote application is Confluence, enter the following URL Patterns: /plugins/servlet/streams, /plugins/servlet/applinks/whoami
    • 'Certificate Timeout (ms)' — Enter the certificate timeout. The default is 10 seconds. The certificate timeout is used to prevent replay attacks. For example, if a Trusted Applications request is intercepted and (maliciously) re-sent, the application will be able to check when the request was first sent. If the second request is sent more than 10 seconds (or whatever the certificate timeout is set to) after the initial request, it will be rejected. Please note, you should not have to change the default value of this field for most application links. Note that the certificate timeout relies on the clocks on both servers being synchronised.
  6. Click the 'Apply' button to save your changes.

Configuring incoming Trusted Applications authentication will allow the remote application that you are linking to, to access functions and data in JIRA, on behalf of a user whose user names are the same on both applications.

To configure Trusted Applications authentication for an incoming application link:

  1. Log in as a system administrator and go to the administration page. Click 'Application Links' in the administration menu. The 'Configure Application Links' page will appear, showing the application links that have been set up.
  2. Click the 'Configure' link next to the application link that you want to configure Trusted Applications authentication for.
  3. Click the 'Incoming Authentication' tab. The imconing authentication page will show, with the 'Trusted Applications' tab displayed.
  4. The tab will show whether Trusted Applications is currently enabled or not. Use the 'Modify' or 'Configure' button to configure Trusted Applications. The Trusted Applications configuration settings will be displayed:
    • 'IP Patterns' — Enter the IP addresses (IPv4 only) from which our application will accept requests. You can specify wildcard matches by using an asterisk (*), e.g. '192.111.*.*' (note, you cannot use netmasks to specify network ranges). If you are entering multiple IP addresses, separate them with commas or spaces.
      (warning) Please note, if you are setting up Trusted Applications between two applications that both have the Application Links plugin installed, you can leave this field blank (or explicitly use *.*.*.*). However, if your remote application does not have the Application Links plugin installed and you are configuring the IP Patterns in the remote application (not the Application Links plugin), you must not leave this field blank nor use *.*.*.*. Failure to configure IP address restrictions in this scenario is a security vulnerability, allowing an unknown site to log into your site under a user's login ID.
      Consider the following scenarios, if you want to limit access by using this field:
      • If the remote application is using a proxy server, you need to add the proxy server's IP address to this field.
      • If the remote application is a clustered instance of Confluence, you need to accept requests from each cluster node. If you do not specify each node's address, Confluence users may not be able to view any data from your application. You can set this up by either specifying each individual IP address for each node of the cluster (e.g. 172.16.0.10, 172.16.0.11, 172.16.0.12), or specifying the IP address for your clustered Confluence instance using wildcards (e.g. 172.16.0.*).
    • 'URL Patterns' — Enter the local URLs that the remote application will be allowed to access. Each URL corresponds to a particular application function. Enter one URL per line, as follows:
      • If your local application is JIRA, enter the following URL Patterns — /plugins/servlet/streams, /sr/jira.issueviews:searchrequest, /secure/RunPortlet, /rest, /rpc/soap
      • If your local application is Confluence, enter the following URL Patterns — /plugins/servlet/streams, /plugins/servlet/applinks/whoami
    • 'Certificate Timeout (ms)' — Enter the certificate timeout. The default is 10 seconds. The certificate timeout is used to prevent replay attacks. For example, if a Trusted Applications request is intercepted and (maliciously) re-sent, the application will be able to check when the request was first sent. If the second request is sent more than 10 seconds (or whatever the certificate timeout is set to) after the initial request, it will be rejected. Please note, you should not have to change the default value of this field for most application links. Note that the certificate timeout relies on the clocks on both servers being synchronised.
  5. Click the 'Apply' button to save your changes.

Configuring Basic HTTP Authentication for an Application Link
Configuring OAuth Authentication for an Application Link