-
Bug
-
Resolution: Fixed
-
Low
-
6.4.0
-
5
-
Severity 2 - Major
-
1
-
The problem
By default Bamboo's Crowd configuration (stored in the crowd.properties file, the exact location of which depending on the Bamboo version can be found here) does not include the Crowd's SSO cookie name. This will cause a flood of requests to Crowd to find out the cookie name on almost every action performed in Bamboo.
Can be identified by a high number of threads waiting / running with stacks similar to the below:
java.lang.Throwable at java.lang.Object.wait(Native Method) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager.doGetConnection(MultiThreadedHttpConnectionManager.java:518) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager.getConnectionWithTimeout(MultiThreadedHttpConnectionManager.java:416) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:153) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:452) at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:341) at com.atlassian.crowd.integration.rest.service.RestCrowdClient.getCookieConfiguration(RestCrowdClient.java:1033) at com.atlassian.crowd.integration.http.CrowdHttpAuthenticatorImpl.getCookieTokenKey(CrowdHttpAuthenticatorImpl.java:219) at com.atlassian.crowd.integration.http.CrowdHttpAuthenticatorImpl.getToken(CrowdHttpAuthenticatorImpl.java:200) at com.atlassian.crowd.integration.http.CacheAwareCrowdHttpAuthenticator.getToken(CacheAwareCrowdHttpAuthenticator.java:83) at com.atlassian.crowd.integration.seraph.v25.CrowdAuthenticator.getUser(CrowdAuthenticator.java:345) at com.atlassian.seraph.auth.AbstractAuthenticator.getUser(AbstractAuthenticator.java:45) ...
java.lang.Throwable at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at java.net.SocketInputStream.read(SocketInputStream.java:170) at java.net.SocketInputStream.read(SocketInputStream.java:141) at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) at sun.security.ssl.InputRecord.read(InputRecord.java:503) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930) at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) at java.io.BufferedInputStream.read(BufferedInputStream.java:265) at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78) at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106) at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1118) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413) at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1974) at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1736) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1099) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:452) at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:341) at com.atlassian.crowd.integration.rest.service.RestCrowdClient.getCookieConfiguration(RestCrowdClient.java:1033) at com.atlassian.crowd.integration.http.CrowdHttpAuthenticatorImpl.getCookieTokenKey(CrowdHttpAuthenticatorImpl.java:219) at com.atlassian.crowd.integration.http.CrowdHttpAuthenticatorImpl.getToken(CrowdHttpAuthenticatorImpl.java:200) at com.atlassian.crowd.integration.http.CacheAwareCrowdHttpAuthenticator.getToken(CacheAwareCrowdHttpAuthenticator.java:83) at com.atlassian.crowd.integration.seraph.v25.CrowdAuthenticator.getUser(CrowdAuthenticator.java:345) at com.atlassian.seraph.auth.AbstractAuthenticator.getUser(AbstractAuthenticator.java:45) at com.atlassian.seraph.auth.AbstractAuthenticator.getRemoteUser(AbstractAuthenticator.java:32) at com.atlassian.bamboo.user.BambooRemoteUserUtils.getRemoteUsername(BambooRemoteUserUtils.java:19) at com.atlassian.bamboo.analytics.MauServiceImpl.recordWebActivity(MauServiceImpl.java:65) at com.atlassian.bamboo.filter.AccessLogFilter.doFilter(AccessLogFilter.java:98) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) ...
Your Crowd Server will also get excess requests to /rest/usermanagement/1/config/cookie from Bamboo.
The fix
Bamboo's default crowd.properties file should include the "cookie.tokenkey" property set to the default name of the Crowd SSO cookie "crowd.token_key". The documentation should also mention that the name of the cookie should be adjusted to match whatever is configured in Crowd.
The workaround
Adding the cookie.tokenkey property to Bamboo's crowd.properties:
- Stop Bamboo
- Edit your <bamboo-home>/xml-data/configuration/crowd.properties
- Add the below line
cookie.tokenkey=crowd.token_key
- Ensure the value of cookie.tokenkey matches your SSO cookie name at Crowd Administration >> General >> SSO cookie name. crowd.token_key is the default.
- Start Bamboo
Care must be taken when switching between "Custom user repository" and "Users and groups from JIRA or Crowd" as this may cause the crowd.properties file to be regenerated without the cookie name configured.