Configuring Jira with JASIG CAS Client for Java 3.1
As of JASIG CAS Client for Java 3.1.3, the distribution includes Atlassian Confluence and Jira support. Support is enabled by a custom CAS authenticator that extends the default authenticators.
WARNING: Use CAS Client for Java 3.3 or later for JIRA 4.3 or later. CAS Client for Java 3.1.x integration is broken for versions of JIRA 4.3 & later! See CASC-164 (Soulwing appears no better off, btw). This is fixed for version 3.3.0.
$JIRA_HOME Description
WAR/EAR Installation: <extracted archive directory>/webapp
/opt/atlassian/jira/atlassian-jira-enterprise-3.13.5/webapp
Standalone: <extracted archive directory>/atlassian-jira
/opt/atlassian/jira/atlassian-jira-enterprise-3.13.5-standalone/atlassian-jira
Modify the web.xml
Add the CAS Filters to the end of the filter list.
See Configuring the Jasig CAS Client for Java in the web.xml for parameters
<!-- CAS:START - Java Client Filters -->
<filter>
<filter-name>CasSingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CasAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas.institution.edu/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://jira.institution.edu/jira/</param-value>
</init-param>
</filter>
<filter>
<filter-name>CasValidationFilter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas.institution.edu/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://jira.institution.edu/jira/</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<!--- CAS:END -->
Don't Forget To Change the URLs
Before the login filter-mapping add:
<!-- CAS:START - Java Client Filter Mappings -->
<filter-mapping>
<filter-name>CasSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasAuthenticationFilter</filter-name>
<url-pattern>/login.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- CAS:END -->
Add the Single Sign Out listener to the list of listener list too
<!-- CAS:START - Java Client Single Sign Out Listener -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- CAS:END -->
Modify the seraph-config.xml
CAS login and logout links
To rely on the Single Sign Out functionality to sign off of Jira, comment out the normal logout URL and replace it with the CAS logout URL. Also, change the login links to point to the CAS login service.
<init-param>
<!--
The login URL to redirect to when the user tries to access a protected resource (rather than clicking on
an explicit login link). Most of the time, this will be the same value as 'link.login.url'.
- if the URL is absolute (contains '://'), then redirect that URL (for SSO applications)
- else the context path will be prepended to this URL
If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested.
This gives SSO login pages the chance to redirect to the original page
-->
<param-name>login.url</param-name>
<!--<param-value>/login.jsp?os_destination=${originalurl}</param-value>-->
<param-value>http://cas.institution.edu/cas/login?service=${originalurl}</param-value>
</init-param>
<init-param>
<!--
the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after
trying to access a protected resource). Most of the time, this will be the same value as 'login.url'.
- same properties as login.url above
-->
<param-name>link.login.url</param-name>
<!--<param-value>/login.jsp?os_destination=${originalurl}</param-value>-->
<!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>-->
<param-value>http://cas.institution.edu/cas/login?service=${originalurl}</param-value>
</init-param>
<init-param>
<!-- URL for logging out.
- If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
- If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
-->
<param-name>logout.url</param-name>
<!--<param-value>/secure/Logout!default.jspa</param-value>-->
<param-value>https://cas.institution.edu/cas/logout</param-value>
</init-param>
Don't Forget To Change the URLs
CAS Authenticator
Comment out the DefaultAuthenticator like so:
<!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration --> <!-- <authenticator class="com.atlassian.seraph.auth.DefaultAuthenticator"/> --> <!-- CROWD:END -->
And add in the JASIG CAS Jira Authenticator
For JIRA 4.4 or later:
<!-- CAS:START - Java Client Jira Authenticator --> <authenticator class="org.jasig.cas.client.integration.atlassian.Jira44CasAuthenticator"/> <!-- CAS:END -->
For JIRA 4.3 or earlier:
<!-- CAS:START - Java Client Jira Authenticator --> <authenticator class="org.jasig.cas.client.integration.atlassian.JiraCasAuthenticator"/> <!-- CAS:END -->
CAS Jar Libs
Copy cas-client-core-3.x.y.jar and cas-client-integration-atlassian-3.x.y.jar to $JIRA_HOME/WEB-INF/lib
Troubleshooting
Characters encoding
See Configuring Confluence with JASIG CAS Client for Java 3.1 Troubleshooting section