History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES       PLANNING BOARD       TASK BOARD   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: JRA-14382
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Jed Wesley-Smith [Atlassian]
Reporter: Jeff Turner [Atlassian]
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
JIRA

Misleading "Invalid certificate" error message when trusted apps IP address not allowed

Created: 31/Jan/08 09:10 PM   Updated: 19/May/08 06:35 PM
Component/s: Trusted Application Integration
Affects Version/s: None
Fix Version/s: 3.12.3

Time Tracking:
Not Specified

File Attachments: None
Image Attachments:

1. conf_invalidcerterror.png
(8 kb)

Participants: Jed Wesley-Smith [Atlassian] and Jeff Turner [Atlassian]
Since last comment: 21 weeks, 5 days ago
Resolution Date: 18/Feb/08 09:33 PM
Labels:


 Description  « Hide
If JIRA is configured to trust a Confluence server, and receives a RSS request from it, except that the IP address doesn't match, then JIRA sends back a response containing: 
X-Seraph-Trusted-App-Status: ERROR
X-Seraph-Trusted-App-Error: Invalid certificate

which Confluence displays:

This message is unhelpful and misleading. What is a "certificate", and why is it invalid? Users don't know or care. The error message ought to be something like "JIRA is not configured to trust the caller's IP address".



 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Jeff Turner [Atlassian] - 31/Jan/08 09:15 PM
In TrustedApplicationsFilter: 
catch (InvalidCertificateException e)
        {
            log.warn("Failed to login trusted application: " + app.getID() + " due to: " + e);
            // debug for stacktrace, no need for isDebugEnabled check as there is no string concatenation
            log.debug("Failed to login trusted application cause", e);
            setFailureHeader(response, "Invalid certificate");
            return BaseLoginFilter.LOGIN_ERROR;
        }

setFailureHeader() should be either mapping InvalidRemoteAddressExceptions to a useful message, or using e.getMessage().


[ Permlink | « Hide ]
Jed Wesley-Smith [Atlassian] - 01/Feb/08 01:31 AM
The decision to not tell the client why the request was denied was deliberate - we do not want malicious clients using the information to guess attack strategies. All relevant information is contained in the server log (ie. JIRA).

If we want this to change, we need to have a discussion about exactly what information we want to publish to the client, and what we don't.


[ Permlink | « Hide ]
Jed Wesley-Smith [Atlassian] - 18/Feb/08 09:33 PM
Fixed in Seraph 0.35


Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.12.3-#302) - Bug/feature request - Atlassian news - Contact Administrators