Details
-
Bug
-
Resolution: Fixed
-
High
-
5.14.0, 6.7.1
-
2
-
Severity 2 - Major
-
3
-
Description
Issue Summary
When configuring Bitbucket Data Center to do replicated sessions, and there is no load balancer that supports sticky sessions, logging in through SAML fails.
Steps to Reproduce
- Configure Bitbucket DC + SAML integration
- Enable hazelcast.http.sessions=replicated with a Load Balancer that does not support sticky sessions.
Expected Results
The log in through SAML works as the sessions are replicated and there is no need to have sticky sessions.
Actual Results
The below message is thrown in the atlassian-bitbucket.log file:
2020-01-29 16:39:32,370 INFO [http-nio-7990-exec-9] *10PL8OLx999x13x0 ipohdm 185.48.102.19 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.h.s.OsgiSafeStreamSerializer ClassNotFoundException during deserialization of object from OSGI bundle system: com.atlassian.plugins.authentication.impl.web.saml.SessionData 2020-01-29 16:39:32,370 INFO [http-nio-7990-exec-9] *10PL8OLx999x13x0 ipohdm 185.48.102.19 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.h.s.OsgiSafeStreamSerializer ClassNotFoundException during deserialization of object from OSGI bundle system: com.atlassian.plugins.authentication.impl.web.saml.SessionData 2020-01-29 16:39:32,650 ERROR [http-nio-7990-exec-9] *10PL8OLx999x13x0 ipohdm 185.48.102.19 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.onelogin.saml2.authn.SamlResponse The Response has an InResponseTo attribute: ONELOGIN_f7c7511b-4860-4828-81dc-244cecf240e2 while no InResponseTo was expected 2020-01-29 16:39:32,650 ERROR [http-nio-7990-exec-9] *10PL8OLx999x13x0 ipohdm 185.48.102.19 "POST /plugins/servlet/samlconsumer HTTP/1.1" com.onelogin.saml2.Auth processResponse error. invalid_response 2020-01-29 16:39:32,659 ERROR [http-nio-7990-exec-9] *10PL8OLx999x13x0 ipohdm 185.48.102.19 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.i.w.f.ErrorHandlingFilter Received invalid SAML response: The Response has an InResponseTo attribute: ONELOGIN_f7c7511b-4860-4828-81dc-244cecf240e2 while no InResponseTo was expected com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: The Response has an InResponseTo attribute: ONELOGIN_f7c7511b-4860-4828-81dc-244cecf240e2 while no InResponseTo was expected at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:89) at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48) at com.atlassian.plugins.authentication.impl.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:80) at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:85) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:75) at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33) at com.atlassian.plugins.authentication.impl.web.filter.ErrorHandlingFilter.doFilter(ErrorHandlingFilter.java:81) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42) at com.atlassian.bitbucket.internal.ratelimit.servlet.filter.RateLimitFilter.doFilter(RateLimitFilter.java:75) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:181) at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:85) at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42) at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:110) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:112) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75) at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94) at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42) at com.atlassian.plugin.connect.plugin.auth.oauth2.DefaultSalAuthenticationFilter.doFilter(DefaultSalAuthenticationFilter.java:69) at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109) at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:37) at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:33) at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33) at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90) at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73) at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:87) at com.hazelcast.web.WebFilter.doFilter(WebFilter.java:371) at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:36) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.lang.Thread.run(Thread.java:748) ... 235 frames trimmed 2020-01-29 16:40:16,485 INFO [http-nio-7990-exec-1] *10PL8OLx1000x37x2 185.48.102.19 c.a.h.s.OsgiSafeStreamSerializer ClassNotFoundException during deserialization of object from OSGI bundle system: com.atlassian.plugins.authentication.impl.web.saml.SessionData 2020-01-29 16:40:16,487 INFO [http-nio-7990-exec-3] *10PL8OLx1000x35x0 185.48.102.19 c.a.h.s.OsgiSafeStreamSerializer ClassNotFoundException during deserialization of object from OSGI bundle system: com.atlassian.plugins.authentication.impl.web.saml.SessionData 2020-01-29 16:40:16,489 INFO [http-nio-7990-exec-10] *10PL8OLx1000x36x1 185.48.102.19 c.a.h.s.OsgiSafeStreamSerializer ClassNotFoundException during deserialization of object from OSGI bundle system: com.atlassian.plugins.authentication.impl.web.saml.SessionData
Workaround
No workaround