Waffle · hazendaz · Mar 17, 2018 · Mar 14, 2018 · Mar 14, 2018 · Mar 15, 2018
diff --git a/Docs/ServletSingleSignOnSecurityFilter.md b/Docs/ServletSingleSignOnSecurityFilter.md
@@ -10,7 +10,7 @@ Configuring Web Servers
 
 The following steps are required to configure a web server with the Waffle Servlet Security Filter. These instructions work for Tomcat, Jetty, WebSphere and possibly others.
 
-Package Waffle JARs (1.8.2), including `waffle-jna-1.8.2.jar`, `guava-20.0.jar`, `jna-4.2.2.jar`, `jna-platform-4.2.2.jar` and `slf4j-1.7.22.jar` in the application's `lib` directory or copy them to your web server's lib. 
+Package Waffle JARs (1.8.4), including `waffle-jna-1.8.4.jar`, `guava-20.0.jar`, `jna-4.3.0.jar`, `jna-platform-4.3.0.jar` and `slf4j-1.7.22.jar` in the application's `lib` directory or copy them to your web server's lib. 
 
 - For latest snapshot instead use `waffle-jna-1.9.0-SNAPSHOT`, `caffeine-2.3.5.jar`, `jna-4.3.0.jar`, `jna-platform-4.3.0.jar` and `slf4j-1.7.22.jar`.
 
@@ -40,6 +40,7 @@ The filter can be configured with the following `init-param` options.
 * waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols: A list of security protocols supported by the `NegotiateSecurityFilterProvider`. Can be one of or a combination of Negotiate and NTLM. 
 * waffle.servlet.spi.BasicSecurityFilterProvider/realm: The name of the Realm for BASIC authentication. 
 * impersonate: Allow impersonation. When true the remote user will be impersonated. Note that there is no mapping between the Windows native threads, under which the impersonation takes place, and the Java threads. Thus you'll need to use Windows native APIs to perform impersonated actions. Any action done in Java will still be performed with the user account running the servlet container. 
+* excludePatterns: Url patterns to exclude from the filter, uses regex for pattern matching
 
 Filter Configuration Example
 ----------------------------
@@ -64,6 +65,13 @@ Filter Configuration Example
       <param-name>impersonate</param-name>
       <param-value>true</param-value>
   </init-param>
+  <init-param>
+      <param-name>excludePatterns</param-name>
+      <param-value>
+        .*/rest/.*
+        .*/api/v2/.*
+      </param-value>
+  </init-param>
   <init-param>
       <param-name>securityFilterProviders</param-name>
       <param-value>

diff --git a/Docs/faq/AtlassianJIRA.md b/Docs/faq/AtlassianJIRA.md
@@ -1,10 +1,52 @@
-Can Waffle be used with Atlassian products, notably JIRA?
-=========================================================
+# Can Waffle be used with Atlassian products, notably JIRA?
 
-Yes, almost. Follow the [Servlet Filter Configuration Instructions](https://github.com/dblock/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md). 
+----
+
+Yes. Follow the [Servlet Filter Configuration Instructions](https://github.com/dblock/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md). 
+
+Tested with Jira 7.6.3
 
 * Deploy libs into tomcat's lib or application's `WEB-INF/lib`.
-* Update `WEB-INF/web.xml` with `filter` and `filter-mapping`. Place the 'filter' before the last filter of JIRA, ie. `JiraLastFilter`.
+  * slf4j-1.7.22.jar can be excluded as a newer version is bundled with JIRA.
+* Update `WEB-INF/web.xml` with `filter` and `filter-mapping`. 
+  * Place the 'filter' before the last filter of JIRA, ie. `JiraLastFilter`.
+    ```xml
+    <filter>
+        <filter-name>SecurityFilter</filter-name>
+        <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
+        <init-param>
+            <param-name>excludePatterns</param-name>
+            <param-value>
+                .*/rest/.*
+                .*/secure/CreateIssue.*
+                .*/secure/QuickCreateIssue.*
+            </param-value>
+        </init-param>
+    </filter>
+    ```
+  * Place the 'filter-mapping' before the login filter-mapping of JIRA.
+    ```xml
+    <filter-mapping>
+        <filter-name>SecurityFilter</filter-name>
+        <url-pattern>/</url-pattern>
+        <url-pattern>/*</url-pattern>
+        <dispatcher>REQUEST</dispatcher>
+        <dispatcher>FORWARD</dispatcher>
+        <dispatcher>POST</dispatcher>
+    </filter-mapping>
+    ```
 * Update `seraph-config.xml` to use a custom authenticator, [RemoteUserJiraAuth](https://marketplace.atlassian.com/plugins/anguswarren.jira.RemoteUserJiraAuth). Modification may be needed.
+  * [Source](https://github.com/AngusWarren/remoteuserauth)
+  * [Modification](https://github.com/AngusWarren/remoteuserauth/pull/6/files)
+
+## Can AD users change or reset their password?
+
+No, although this can be done through active directory
+
+## Can I log in as a non-AD user?
+
+Yes, log out and click log back in, this should bring up the login portal to log in as another user.
+
+## I'm not seeing the startup page or my gadgets are not displaying properly
 
-Several JIRA features won't work, including the ability for AD user to reset and/or change password. The ability for non-AD user to login to the portal.
+Check the location of your filter-mapping and make sure it is exactly before the filter mapping `JiraLastFilter`
diff --git a/Source/JNA/waffle-jna/src/main/java/waffle/servlet/NegotiateSecurityFilter.java b/Source/JNA/waffle-jna/src/main/java/waffle/servlet/NegotiateSecurityFilter.java
@@ -1,7 +1,7 @@
 /**
  * Waffle (https://github.com/Waffle/waffle)
  *
- * Copyright (c) 2010-2017 Application Security, Inc.
+ * Copyright (c) 2010-2018 Application Security, Inc.
  *
  * All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse
  * Public License v1.0 which accompanies this distribution, and is available at
@@ -72,6 +72,9 @@ public class NegotiateSecurityFilter implements Filter {
     /** The impersonate. */
     private boolean                          impersonate;
 
+    /** The exlusion filter. */
+    private String[]                         excludePatterns;
+
     /** The Constant PRINCIPALSESSIONKEY. */
     private static final String              PRINCIPALSESSIONKEY = NegotiateSecurityFilter.class.getName()
             + ".PRINCIPAL";
@@ -107,6 +110,15 @@ public void doFilter(final ServletRequest sreq, final ServletResponse sres, fina
         NegotiateSecurityFilter.LOGGER.debug("{} {}, contentlength: {}", request.getMethod(), request.getRequestURI(),
                 Integer.valueOf(request.getContentLength()));
 
+        String url = request.getRequestURL().toString();
+        for (String pattern : excludePatterns) {
+            if (url.matches(pattern)) {
+                NegotiateSecurityFilter.LOGGER.info("Pattern :{} excluded URL:{}", url, pattern);
+                chain.doFilter(sreq, sres);
+                return;
+            }
+        }
+
         if (this.doFilterPrincipal(request, response, chain)) {
             // previously authenticated user
             return;
@@ -298,6 +310,9 @@ public void init(final FilterConfig filterConfig) throws ServletException {
                     case "authProvider":
                         authProvider = parameterValue;
                         break;
+                    case "excludePatterns":
+                        excludePatterns = parameterValue.split("\\s+");
+                        break;
                     default:
                         implParameters.put(parameterName, parameterValue);
                         break;
@@ -364,7 +379,7 @@ public void init(final FilterConfig filterConfig) throws ServletException {
 
     /**
      * Set the principal format.
-     * 
+     *
      * @param format
      *            Principal format.
      */
@@ -375,7 +390,7 @@ public void setPrincipalFormat(final String format) {
 
     /**
      * Principal format.
-     * 
+     *
      * @return Principal format.
      */
     public PrincipalFormat getPrincipalFormat() {
@@ -384,7 +399,7 @@ public PrincipalFormat getPrincipalFormat() {
 
     /**
      * Set the principal format.
-     * 
+     *
      * @param format
      *            Role format.
      */
@@ -395,7 +410,7 @@ public void setRoleFormat(final String format) {
 
     /**
      * Principal format.
-     * 
+     *
      * @return Role format.
      */
     public PrincipalFormat getRoleFormat() {
@@ -404,7 +419,7 @@ public PrincipalFormat getRoleFormat() {
 
     /**
      * Send a 401 Unauthorized along with protocol authentication headers.
-     * 
+     *
      * @param response
      *            HTTP Response
      * @param close
@@ -427,7 +442,7 @@ private void sendUnauthorized(final HttpServletResponse response, final boolean
 
     /**
      * Windows auth provider.
-     * 
+     *
      * @return IWindowsAuthProvider.
      */
     public IWindowsAuthProvider getAuth() {
@@ -436,7 +451,7 @@ public IWindowsAuthProvider getAuth() {
 
     /**
      * Set Windows auth provider.
-     * 
+     *
      * @param provider
      *            Class implements IWindowsAuthProvider.
      */
@@ -446,7 +461,7 @@ public void setAuth(final IWindowsAuthProvider provider) {
 
     /**
      * True if guest login is allowed.
-     * 
+     *
      * @return True if guest login is allowed, false otherwise.
      */
     public boolean isAllowGuestLogin() {
@@ -474,7 +489,7 @@ public boolean isImpersonate() {
 
     /**
      * Security filter providers.
-     * 
+     *
      * @return A collection of security filter providers.
      */
     public SecurityFilterProviderCollection getProviders() {