OpenID connect configuration UI does not validate the Issuer URL

XMLWordPrintable

    • Type: Bug
    • Resolution: Low Engagement
    • Priority: Low
    • None
    • Affects Version/s: 7.2.0, 7.1.2
    • Component/s: Data Center
    • 1
    • Severity 3 - Minor
    • 1

      Issue Summary

      Open ID Connect configuration UI (https://<URL>/plugins/servlet/authentication-config) does not have any form validation for issuer URL.

      Steps to Reproduce

      1. Go to https://<URL>/plugins/servlet/authentication-config
      2. Set Issuer URL to a valid URL with a scheme that is not equivalent to http or https, e.g. "file:///path/to/file" or "jar:http://poc.local&#33;/".
      3. Fill all other mandatory settings
      4. Click "save configuration"

      Expected Results

      Error message "Issuer URL is invalid"

      Actual Results

      The below exception is thrown in the atlassian-bitbucket.log file:

      2020-04-29 18:20:02,529 ERROR [http-nio-7990-exec-10] siteadmin @TBU0D3x1100x514x0 1mdbw90 172.16.71.1,172.16.71.134 "PUT /rest/authconfig/latest/sso HTTP/1.1" c.a.p.r.c.e.j.ThrowableExceptionMapper Uncaught exception thrown by REST service: class sun.net.www.protocol.file.FileURLConnection cannot be cast to class java.net.HttpURLConnection (sun.net.www.protocol.file.FileURLConnection and java.net.HttpURLConnection are in module java.base of loader 'bootstrap')
java.lang.ClassCastException: class sun.net.www.protocol.file.FileURLConnection cannot be cast to class java.net.HttpURLConnection (sun.net.www.protocol.file.FileURLConnection and java.net.HttpURLConnection are in module java.base of loader 'bootstrap')
	at com.nimbusds.oauth2.sdk.http.HTTPRequest.toHttpURLConnection(HTTPRequest.java:786)
	at com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:882)
	at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1318)
	at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1283)
	at com.atlassian.plugins.authentication.impl.web.oidc.OidcDiscoverySupport.fetch(OidcDiscoverySupport.java:49)
	at com.atlassian.plugins.authentication.impl.web.oidc.OidcDiscoverySupport.refresh(OidcDiscoverySupport.java:31)
	at com.atlassian.plugins.authentication.impl.config.SsoConfigService.refreshDiscoveryIfNeeded(SsoConfigService.java:100)
	at com.atlassian.plugins.authentication.impl.config.SsoConfigService.updateSsoConfig(SsoConfigService.java:70)
	at com.atlassian.plugins.authentication.impl.rest.SsoConfigResourceService.updateConfig(SsoConfigResourceService.java:84)
	at com.atlassian.plugins.authentication.impl.rest.SsoConfigResource.updateConfig(SsoConfigResource.java:39)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24)
	at com.atlassian.bitbucket.internal.xcode.web.XcodeUserAgentFilter.doFilter(XcodeUserAgentFilter.java:36)
	at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:75)
	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.bitbucket.internal.ratelimit.servlet.filter.RateLimitFilter.doFilter(RateLimitFilter.java:75)
	at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:85)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:112)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75)
	at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94)
	at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.plugin.connect.plugin.auth.oauth2.DefaultSalAuthenticationFilter.doFilter(DefaultSalAuthenticationFilter.java:69)
	at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109)
	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:37)
	at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:33)
	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:33)
	at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90)
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73)
	at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:87)
	at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.lang.Thread.run(Thread.java:834)
	... 246 frames trimmed

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

        1. Screenshot 2020-04-29 at 18.28.29.png
          Screenshot 2020-04-29 at 18.28.29.png
          36 kB

            Assignee:
            Unassigned
            Reporter:
            Anton Shaleev (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: