-
Bug
-
Resolution: Fixed
-
Low
-
6.6.0
-
Oracle
-
2
-
Severity 3 - Minor
-
Issue Summary
When making a GET rest call authenticated with a user from AD which has no email, an XSRF error is thrown attempting to update the
cwd_user.email_address table.
This issue occurs only if Bamboo uses Oracle database.
Environment
- Bamboo 6.7.2
- Oracle DB
- Users from AD without email
Steps to Reproduce
- Use a user imported from AD which has no email
- Make a GET REST call:
curl -k -u admin:adminpwd \ -H 'Content-type: application/json' \ -H 'Accept: application/json' \ -X GET http://bamboo672:8085/rest/api/latest/result/TES-TES/2.json
Expected Results
A json in return like:
{"expand":"changes,metadata,plan,artifacts,comments,labels,jiraIssues,stages","link":{"href":"http://bamboo663:8085/rest/api/latest/result/TES-TES-1","rel":"self"},"plan":{"shortName":"testApp","shortKey":"TES","type":"chain","enabled":true,"link":{"href":"http://bamboo663:8085/rest/api/latest/plan/TES-TES","rel":"self"},"key":"TES-TES","name":"TestAppLink - testApp","planKey":{"key":"TES-TES"}},"planName":"testApp","projectName":"TestAppLink","buildResultKey":"TES-TES-1","lifeCycleState":"Finished","id":983041,"buildStartedTime":"2019-03-18T20:36:05.827Z","prettyBuildStartedTime":"Mon, 18 Mar, 08:36 PM","buildCompletedTime":"2019-03-18T20:36:07.653Z","buildCompletedDate":"2019-03-18T20:36:07.653Z","prettyBuildCompletedTime":"Mon, 18 Mar, 08:36 PM","buildDurationInSeconds":1,"buildDuration":1826,"buildDurationDescription":"1 second","buildRelativeTime":"2 minutes ago","buildTestSummary":"No tests found","successfulTestCount":0,"failedTestCount":0,"quarantinedTestCount":0,"skippedTestCount":0,"continuable":false,"onceOff":false,"restartable":false,"notRunYet":false,"finished":true,"successful":true,"buildReason":"Manual run by <a href=\"http://bamboo663:8085/browse/user/admin\">admin</a>","reasonSummary":"Manual run by <a href=\"http://bamboo663:8085/browse/user/admin\">admin</a>","artifacts":{"size":0,"start-index":0,"max-result":0},"comments":{"size":0,"start-index":0,"max-result":0},"labels":{"size":0,"start-index":0,"max-result":0},"jiraIssues":{"size":0,"start-index":0,"max-result":0},"stages":{"size":1,"start-index":0,"max-result":1},"changes":{"size":0,"start-index":0,"max-result":0},"metadata":{"size":3,"start-index":0,"max-result":3},"key":"TES-TES-1","planResultKey":{"key":"TES-TES-1","entityKey":{"key":"TES-TES"},"resultNumber":1},"state":"Successful","buildState":"Successful","number":1,"buildNumber":1}
Actual Results
The below exception is thrown
2019-03-08 14:46:30,612 ERROR [http-nio-127.0.0.1-8085-exec-136] [ApplicationServiceGeneric] Directory 'Active Directory server (282624001)' is not functional during authentication of 'admin'. Skipped. 2019-03-08 14:46:30,612 ERROR [http-nio-127.0.0.1-8085-exec-136] [ReadOnlyGetMethodEnforcer] emailAddress:null->, lowerEmailAddress:null->, updatedDate:2019-03-08 14:33:25.407->Fri Mar 08 14:46:30 EST 2019 2019-03-08 14:46:30,612 ERROR [http-nio-127.0.0.1-8085-exec-136] [ReadOnlyGetMethodEnforcer] Entity mutation is not allowed 2019-03-08 14:46:30,613 WARN [http-nio-127.0.0.1-8085-exec-136] [XsrfUtils] XSRF: A mutative operation was attempted on InternalUser within a non-mutative HTTP request: http://bamboo672:8085/rest/api/latest/result/TES-TES/2.json
at com.atlassian.bamboo.utils.XsrfUtils.fail(XsrfUtils.java:27) at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.fail(ReadOnlyGetMethodEnforcer.java:124) at com.atlassian.bamboo.hibernate.ReadOnlyGetMethodEnforcer.onFlushDirty(ReadOnlyGetMethodEnforcer.java:75) at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onFlushDirty(ChainedInterceptorSupport.java:104) at org.springframework.orm.hibernate.support.ChainedInterceptorSupport.onFlushDirty(ChainedInterceptorSupport.java:104) at org.hibernate.event.internal.DefaultFlushEntityEventListener.invokeInterceptor(DefaultFlushEntityEventListener.java:355) at org.hibernate.event.internal.DefaultFlushEntityEventListener.handleInterception(DefaultFlushEntityEventListener.java:332) at org.hibernate.event.internal.DefaultFlushEntityEventListener.scheduleUpdate(DefaultFlushEntityEventListener.java:283) at org.hibernate.event.internal.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:154) at org.hibernate.event.internal.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:235) at org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:94) at org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44) at org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1415) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1952) at org.hibernate.internal.CriteriaImpl.list(CriteriaImpl.java:370) at org.hibernate.internal.CriteriaImpl.uniqueResult(CriteriaImpl.java:392) at com.atlassian.crowd.dao.user.UserDAOHibernate.findByNameInternal(UserDAOHibernate.java:485) at com.atlassian.crowd.dao.user.UserDAOHibernate.findByName(UserDAOHibernate.java:174) at com.atlassian.crowd.dao.user.UserDAOHibernate.findByNameWithAttributes(UserDAOHibernate.java:210) at com.atlassian.crowd.dao.user.UserDAOHibernate.findByNameWithAttributes(UserDAOHibernate.java:59) at com.atlassian.crowd.directory.AbstractInternalDirectory.authenticate(AbstractInternalDirectory.java:198) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:284) at sun.reflect.GeneratedMethodAccessor4205.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) at com.sun.proxy.$Proxy178.authenticateUser(Unknown Source) at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:182) at sun.reflect.GeneratedMethodAccessor4204.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:197) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) at com.sun.proxy.$Proxy181.authenticateUser(Unknown Source)
Workaround
Update the users without email, add an email which is not empty, non valid emails can be used as well.
- is related to
-
-
- Closed
-