How do I disable Stash's internal authentication and delegate that to an external entity e.g. Kerberos authentication on Apache?

'How Do I...' and 'How to...' Guide to Stash

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

The following information hasn't been tested.

While it is not possible to disable Stash's internal authentication it's possible for plugins to "participate" in it. Since both Trusted Apps and OAuth do this sort of special authentication and they're both implemented as plugins their functionality can be duplicated.

 

Look at the OAuthFilter as a starting point for building such a plugin, since it's open source:

- https://studio.atlassian.com/source/browse/OAUTH/trunk/service-provider-plugin/src/main/java/com/atlassian/oauth/serviceprovider/internal/servlet/OAuthFilter.java?r=111426
- https://studio.atlassian.com/source/browse/OAUTH/trunk/service-provider-plugin/src/main/resources/atlassian-plugin.xml?r=130342 (Specifically lines 94-99 show how to register the filter in the plugin framework. Note that your filter will need to be in both the REQUEST and FORWARD dispatchers for /scm, just like the OAuthFilter is for /*)

You will not need to use the AuthenticationListener (although you can) and you can opt to use UserService.preauthenticate instead for simplicity. UserService.preauthenticate was built specifically to support this type of "trusted connection" situation.

You may achieve all authentication with Stash to be done via Kerberos if you apply your filter to /* instead of /scm.

 

 

 

Last modified on Dec 13, 2012

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.