How do I disable Stash's internal authentication and delegate that to an external entity e.g. Kerberos authentication on Apache?
The following information hasn't been tested.
Look at the OAuthFilter as a starting point for building such a plugin, since it's open source:
- https://studio.atlassian.com/source/browse/OAUTH/trunk/service-provider-plugin/src/main/java/com/atlassian/oauth/serviceprovider/internal/servlet/OAuthFilter.java?r=111426
- https://studio.atlassian.com/source/browse/OAUTH/trunk/service-provider-plugin/src/main/resources/atlassian-plugin.xml?r=130342 (Specifically lines 94-99 show how to register the filter in the plugin framework. Note that your filter will need to be in both the REQUEST and FORWARD dispatchers for /scm
, just like the OAuthFilter is for /*
)
You will not need to use the AuthenticationListener
(although you can) and you can opt to use UserService.preauthenticate
instead for simplicity. UserService.preauthenticate
was built specifically to support this type of "trusted connection" situation.
You may achieve all authentication with Stash to be done via Kerberos if you apply your filter to /*
instead of /scm
.