Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-20042

XSRF: A mutative operation was attempted on InternalMembership within a non-mutative HTTP request

    XMLWordPrintable

Details

    Description

      Steps to reproduce:

      1. Create a user in Crowd – do not sync the User Directory
      2. After user creation, try accessing the build dashboard

      Observation

      The following error is observed in BambooLogs:

      The following error occurs in the logs:

      atlassian-bamboo.log
      2018-08-13 16:51:53,850 ERROR [http-bio-8443-exec-9334] [FiveOhOh] 500 Exception was thrown.
java.lang.IllegalStateException: XSRF: A mutative operation was attempted on InternalMembership within a non-mutative HTTP request: https://bamboo.allstontrading.com:8443/rest/api/latest/deploy/dashboard/1966082 : [null]->
->[[42861051, 42893423, GROUP_USER, GROUP, traders, traders, options, options, Mon Aug 13 16:51:53 CDT 2018, com.atlassian.crowd.model.directory.DirectoryImpl_$$_jvsta48_12@57440f34[lowerName=crowd repository,description=External Crowd service upgraded from an existing atlassian-user configuration,type=CROWD,implementationClass=com.atlassian.crowd.directory.RemoteCrowdDirectory,allowedOperations=\[UPDATE_USER_ATTRIBUTE, UPDATE_GROUP_ATTRIBUTE],attributes={crowd.sync.incremental.enabled=true, application.password=********, crowd.server.url=https://jira.allstontrading.com:8443, com.atlassian.crowd.directory.sync.laststartsynctime=1534195001891, crowd.sync.group.membership.after.successful.user.auth.enabled=true, directory.cache.synchronise.interval=3600, com.atlassian.crowd.directory.sync.lastdurationms=187, com.atlassian.crowd.directory.sync.issynchronising=false, useNestedGroups=true, com.atlassian.crowd.directory.sync.cache.enabled=true, application.name=bamboo}]]]

at com.atlassian.bamboo.utils.XsrfUtils.fail(XsrfUtils.java:27)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.fail(ReadOnlyGetMethodEnforcer.java:123)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.failIfStateMutationNotAllowed(ReadOnlyGetMethodEnforcer.java:100)
at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.onSave(ReadOnlyGetMethodEnforcer.java:84)
at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onSave(ChainedInterceptorSupport.java:118)
at com.atlassian.bamboo.persister.OidGenerationInterceptor.onSave(OidGenerationInterceptor.java:46)
at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onSave(ChainedInterceptorSupport.java:118)
at org.hibernate.event.internal.AbstractSaveEventListener.substituteValuesIfNecessary(AbstractSaveEventListener.java:377)
at org.hibernate.event.internal.AbstractSaveEventListener.performSaveOrReplicate(AbstractSaveEventListener.java:257)
at org.hibernate.event.internal.AbstractSaveEventListener.performSave(AbstractSaveEventListener.java:182)
at org.hibernate.event.internal.AbstractSaveEventListener.saveWithGeneratedId(AbstractSaveEventListener.java:125)
at org.hibernate.event.internal.DefaultSaveOrUpdateEventListener.saveWithGeneratedOrRequestedId(DefaultSaveOrUpdateEventListener.java:192)
at org.hibernate.event.internal.DefaultSaveEventListener.saveWithGeneratedOrRequestedId(DefaultSaveEventListener.java:38)
at org.hibernate.event.internal.DefaultSaveOrUpdateEventListener.entityIsTransient(DefaultSaveOrUpdateEventListener.java:177)
at org.hibernate.event.internal.DefaultSaveEventListener.performSaveOrUpdate(DefaultSaveEventListener.java:32)
at org.hibernate.event.internal.DefaultSaveOrUpdateEventListener.onSaveOrUpdate(DefaultSaveOrUpdateEventListener.java:73)
at org.hibernate.internal.SessionImpl.fireSave(SessionImpl.java:689)
at org.hibernate.internal.SessionImpl.save(SessionImpl.java:681)
at org.hibernate.internal.SessionImpl.save(SessionImpl.java:676)
at com.atlassian.crowd.util.persistence.hibernate.HibernateDao.save(HibernateDao.java:123)
at com.atlassian.crowd.dao.membership.MembershipDAOHibernate.addUserToGroup(MembershipDAOHibernate.java:140)
at com.atlassian.crowd.directory.AbstractInternalDirectory.addUserToGroup(AbstractInternalDirectory.java:799)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.addUserToGroupInternal(DbCachingRemoteDirectory.java:722)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateGroupsMembershipOnLogin(DbCachingRemoteDirectory.java:347)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateUserFromRemoteDirectory(DbCachingRemoteDirectory.java:258)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:232)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:149)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:285)
at sun.reflect.GeneratedMethodAccessor1787.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy156.authenticateUser(Unknown Source)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:185)
at sun.reflect.GeneratedMethodAccessor1786.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy159.authenticateUser(Unknown Source)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:70)
at com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdAuthenticator.authenticate(EmbeddedCrowdAuthenticator.java:24)
at com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdAuthenticator$$FastClassBySpringCGLIB$$af97c51b.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:684)
at com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdAuthenticator$$EnhancerBySpringCGLIB$$cb218de2.authenticate(<generated>)
at bucket.user.DefaultUserAccessor.authenticate(DefaultUserAccessor.java:711)
at sun.reflect.GeneratedMethodAccessor1785.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy175.authenticate(Unknown Source)
at com.atlassian.bamboo.user.authentication.BambooAuthenticator.authenticate(BambooAuthenticator.java:47)
at com.atlassian.seraph.auth.DefaultAuthenticator.login(DefaultAuthenticator.java:88)
at com.atlassian.bamboo.user.authentication.BambooAuthenticator.login(BambooAuthenticator.java:32)
at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:528)
at com.atlassian.seraph.auth.DefaultAuthenticator.getUser(DefaultAuthenticator.java:339)
at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:139)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:148)
at com.atlassian.seraph.filter.BambooLoginFilter.doFilter(BambooLoginFilter.java:37)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:39)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:103)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
at com.atlassian.plugins.rest.module.servlet.RestSeraphFilter.doFilter(RestSeraphFilter.java:37)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:56)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:70)
at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.orm.hibernate5.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:152)
at com.atlassian.bamboo.persistence.BambooSessionInViewFilter.doFilterInternal(BambooSessionInViewFilter.java:24)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:40)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.atlassian.bamboo.filter.ClickjackingAndMimeTypeSniffingPreventionFilter.doFilter(ClickjackingAndMimeTypeSniffingPreventionFilter.java:36)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.atlassian.bamboo.filter.CookieCacheControlFilter.doFilter(CookieCacheControlFilter.java:49)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:39)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:38)
at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:56)
at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:70)
at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.valves.StuckThreadDetectionValve.invoke(StuckThreadDetectionValve.java:206)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:283)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2018-08-13 16:51:53,868 ERROR [http-bio-8443-exec-9305] [ReadOnlyGetMethodEnforcer] State mutation is not allowed
2018-08-13 16:51:53,868 WARN [http-bio-8443-exec-9305] [XsrfUtils] XSRF: A mutative operation was attempted on InternalMembership within a non-mutative HTTP request: https://bamboo.allstontrading.com:8443/rest/api/latest/deploy/dashboard/1966082 : [null]->
->[[42861051, 42893423, GROUP_USER, GROUP, traders, traders, options, options, Mon Aug 13 16:51:53 CDT 2018, com.atlassian.crowd.model.directory.DirectoryImpl_$$_jvsta48_12@1f202a6e[lowerName=crowd repository,description=External Crowd service upgraded from an existing atlassian-user configuration,type=CROWD,implementationClass=com.atlassian.crowd.directory.RemoteCrowdDirectory,allowedOperations=\[UPDATE_USER_ATTRIBUTE, UPDATE_GROUP_ATTRIBUTE],attributes={crowd.sync.incremental.enabled=true, application.password=********, crowd.server.url=https://jira.allstontrading.com:8443, com.atlassian.crowd.directory.sync.laststartsynctime=1534195001891, crowd.sync.group.membership.after.successful.user.auth.enabled=true, directory.cache.synchronise.interval=3600, com.atlassian.crowd.directory.sync.lastdurationms=187, com.atlassian.crowd.directory.sync.issynchronising=false, useNestedGroups=true, com.atlassian.crowd.directory.sync.cache.enabled=true, application.name=bamboo}]]]

      Workaround 1

      Disable XSRF protection by performing the following:

      1. Click the cog icon in the Bamboo header and choose Overview.
      2. Choose Security settings in the left-hand panel.
      3. Choose Edit.
      4. Uncheck Enable XSRF protection to disable XSRF protection
      5. Choose Save.

      Workaround 2

      Force sync user directories as follows:

      1. Click the cog icon in the Bamboo header and choose Overview
      2. Choose User directories in the left-hand panel
      3. Find the external user directory
      4. Click the Synchronize link

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. BAM-21051 XSRF failure for GET REST requests when Update group membership on login is enabled and user or group membership is updated

          • Low - Low priority issues
          • Closed
          mentioned in

          Page Loading...

          was cloned as

          BDEV-14775 Loading...

          Activity

            People

              moles Marcin Oles
              bcarreon Bill Carreon (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: