-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 10.0.0
-
Component/s: Authentication
-
None
-
Severity 3 - Minor
Issue Summary
Users cannot log in using SAML/SSO if customers are monitoring their Bitbucket 10.0 JVMs with glowroot. Login with username/password still works (but that is often disabled when SAML/SSO is used).
Steps to Reproduce
- Set up glowroot monitoring of Bitbucket JVMs
- Set up SAML/SSO login
- Upgrade to Bitbucket 10
- Attempt to log in with SAML/SSO
Expected Results
Login works as expected
Actual Results
The login is rejected and the below exception is thrown in the {[atlassian-bitbucket.log}} file:
2025-06-19 06:50:55,265 WARN [http-nio-7990-exec-21] *105CH3Ux410x6549x0 10.229.154.231,10.232.29.42 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.s.w.saml.SamlConsumerServlet Received an invalid SamlResponse: com.atlassian.plugins.authentication.sso.web.saml.provider.InvalidSamlResponse: java.lang.ClassCastException: class org.glowroot.agent.plugin.jakartaservlet.bclglowrootbcl.ServletMessageSupplier cannot be cast to class org.glowroot.agent.plugin.servlet.bclglowrootbcl.ServletMessageSupplier (org.glowroot.agent.plugin.jakartaservlet.bclglowrootbcl.ServletMessageSupplier and org.glowroot.agent.plugin.servlet.bclglowrootbcl.ServletMessageSupplier are in unnamed module of loader 'bootstrap')
2025-06-19 06:50:55,265 ERROR [http-nio-7990-exec-21] *105CH3Ux410x6549x0 10.229.154.231,10.232.29.42 "POST /plugins/servlet/samlconsumer HTTP/1.1" c.a.p.a.s.w.f.ErrorHandlingFilter [UUID: 480f69d6-f742-4faa-a979-303693124189] java.lang.ClassCastException: class org.glowroot.agent.plugin.jakartaservlet.bclglowrootbcl.ServletMessageSupplier cannot be cast to class org.glowroot.agent.plugin.servlet.bclglowrootbcl.ServletMessageSupplier (org.glowroot.agent.plugin.jakartaservlet.bclglowrootbcl.ServletMessageSupplier and org.glowroot.agent.plugin.servlet.bclglowrootbcl.ServletMessageSupplier are in unnamed module of loader 'bootstrap')
com.atlassian.plugins.authentication.sso.web.saml.provider.InvalidSamlResponse: java.lang.ClassCastException: class org.glowroot.agent.plugin.jakartaservlet.bclglowrootbcl.ServletMessageSupplier cannot be cast to class org.glowroot.agent.plugin.servlet.bclglowrootbcl.ServletMessageSupplier (org.glowroot.agent.plugin.jakartaservlet.bclglowrootbcl.ServletMessageSupplier and org.glowroot.agent.plugin.servlet.bclglowrootbcl.ServletMessageSupplier are in unnamed module of loader 'bootstrap')
at com.atlassian.plugins.authentication.sso.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:130)
at com.atlassian.plugin.util.ContextClassLoaderSwitchingUtil.runInContext(ContextClassLoaderSwitchingUtil.java:48)
at com.atlassian.plugins.authentication.sso.web.saml.provider.impl.OneloginJavaSamlProvider.extractSamlResponse(OneloginJavaSamlProvider.java:125)
at com.atlassian.plugins.authentication.sso.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:97)
at com.atlassian.stash.internal.web.security.SecureServletModuleContainerServlet.service(SecureServletModuleContainerServlet.java:125)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:28)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:28)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:28)
at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:28)
at com.atlassian.analytics.client.filter.UniversalAnalyticsFilter.doFilter(UniversalAnalyticsFilter.java:80)
at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
at com.atlassian.plugins.authentication.sso.web.filter.ErrorHandlingFilter.doFilterInternal(ErrorHandlingFilter.java:84)
at com.atlassian.plugins.authentication.sso.web.filter.AbstractJohnsonAwareFilter.doFilter(AbstractJohnsonAwareFilter.java:29)
at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
at com.atlassian.bitbucket.internal.ratelimit.servlet.filter.RateLimitFilter.doFilter(RateLimitFilter.java:75)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:182)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:85)
at com.atlassian.theme.filter.DefaultRequestOverrideServletFilter.doFilter(DefaultRequestOverrideServletFilter.java:72)
at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
at com.atlassian.stash.internal.web.auth.AuthorizationFailureInterceptor.doFilterInternal(AuthorizationFailureInterceptor.java:39)
at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:111)
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:112)
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75)
at jakarta.servlet.http.HttpFilter.doFilter(HttpFilter.java:85)
at jakarta.servlet.http.HttpFilter.doFilter(HttpFilter.java:53)
at com.atlassian.crowd.filter.ServiceAccountAuthContextInjectorFilter.doFilter(ServiceAccountAuthContextInjectorFilter.java:32)
at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:69)
at com.atlassian.oauth2.provider.core.web.AccessTokenFilter.doFilter(AccessTokenFilter.java:97)
at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
at com.atlassian.plugins.authentication.sso.web.filter.loginform.DisableNativeLoginAuthFilter.doFilterInternal(DisableNativeLoginAuthFilter.java:73)
at com.atlassian.plugins.authentication.sso.web.filter.AbstractJohnsonAwareFilter.doFilter(AbstractJohnsonAwareFilter.java:29)
at com.atlassian.plugins.authentication.basicauth.filter.DisableBasicAuthFilter.doFilter(DisableBasicAuthFilter.java:82)
at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:40)
at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:30)
at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46)
at com.atlassian.stash.internal.spring.lifecycle.LifecycleJohnsonServletFilterModuleContainerFilter.doFilter(LifecycleJohnsonServletFilterModuleContainerFilter.java:42)
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:90)
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73)
at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:85)
at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
at java.base/java.lang.Thread.run(Thread.java:1583)
... 245 frames trimmed
Caused by: java.lang.ClassCastException: class org.glowroot.agent.plugin.jakartaservlet.bclglowrootbcl.ServletMessageSupplier cannot be cast to class org.glowroot.agent.plugin.servlet.bclglowrootbcl.ServletMessageSupplier (org.glowroot.agent.plugin.jakartaservlet.bclglowrootbcl.ServletMessageSupplier and org.glowroot.agent.plugin.servlet.bclglowrootbcl.ServletMessageSupplier are in unnamed module of loader 'bootstrap')
at org.glowroot.agent.plugin.servlet.RequestParameterAspect$GetParameterAdvice_.onReturn(RequestParameterAspect.java:49)
at javax.servlet.ServletRequestWrapper.getParameterMap(ServletRequestWrapper.java:170)
at com.onelogin.saml2.servlet.ServletUtils.makeHttpRequest(ServletUtils.java:36)
at com.onelogin.saml2.Auth.processResponse(Auth.java:1201)
at com.atlassian.plugins.authentication.sso.web.saml.provider.impl.OneloginJavaSamlProvider.lambda$extractSamlResponse$1(OneloginJavaSamlProvider.java:128)
... 43 common frames omitted
Workaround
There is no known workaround. Customers must either disable SAML/SSO or stop monitoring using glowroot.