Bitbucket locks a user account when concurrent requests occur during a time when the database pool is exhausted and it cannot establish a connection to the database.

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Medium
    • None
    • Affects Version/s: 8.19.0
    • Component/s: Authentication
    • None
    • 1
    • Severity 3 - Minor
    • 1

      Issue Summary

      Bitbucket locks a user account when concurrent requests occur during a time when the database pool is exhausted(due to a different issue) and it cannot establish new connection to the database.

      Steps to Reproduce

      1. Install Bitbucket 8.19.14 or any other version.
      2. Simulate a scenario where DB pool is exhausted.
      3. Execute a curl command with any REST API or perform Git operations using the username and personal access token as the password in basic auth.

      Expected Results

      Bitbucket should not send requests to AD when the password is a token.

      Actual Results

      When the database pool is exhausted, and an API or Git operation uses a PAT (Personal Access Token) as the password(in basic auth), these requests are routed to the external directory after failing to get a database connection. Since the token isn't a valid password in Active Directory (AD), AD rejects it with a "invalid credentials" error, and repeated attempts can lock the user out of AD.
      If the CAPTCHA count set in Bitbucket is low, the account gets locked in Bitbucket. However, if the CAPTCHA count is higher in Bitbucket but lower in AD, the account gets locked in AD.

      It's important to note that the core issue is the exhaustion of the database pool, which prevents Bitbucket from making the proper decision.

      2025-11-27 06:39:52,748 WARN  [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.s.i.a.DefaultAuthenticationService user1: Authenticator 'com.atlassian.bitbucket.server.bitbucket-access-tokens:accessTokenHttpAuthHandler' threw an exception
org.hibernate.exception.JDBCConnectionException: could not prepare statement
        at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:48)
        at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:37)
.
.
.
        at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38)
        at java.base/java.lang.Thread.run(Thread.java:840)
        ... 218 frames trimmed
Caused by: java.sql.SQLTransientConnectionException: bitbucket - Connection is not available, request timed out after 15001ms.
        at com.zaxxer.hikari.pool.HikariPool.createTimeoutException(HikariPool.java:696)
        at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:197)
        at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:162)
        at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:100)
        at com.atlassian.stash.internal.hikari.ExtendedHikariDataSource.getConnection(ExtendedHikariDataSource.java:125)
        at org.springframework.jdbc.datasource.LazyConnectionDataSourceProxy$LazyConnectionInvocationHandler.getTargetConnection(LazyConnectionDataSourceProxy.java:405)
        at org.springframework.jdbc.datasource.LazyConnectionDataSourceProxy$LazyConnectionInvocationHandler.invoke(LazyConnectionDataSourceProxy.java:378)
        at jdk.proxy2/jdk.proxy2.$Proxy120.prepareStatement(Unknown Source)
        at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:149)
        at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:176)
        ... 96 common frames omitted
2025-11-27 06:39:52,737 WARN  [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" o.h.e.jdbc.spi.SqlExceptionHelper SQL Error: 0, SQLState: null
2025-11-27 06:39:52,737 ERROR [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" o.h.e.jdbc.spi.SqlExceptionHelper bitbucket - Connection is not available, request timed out after 15001ms.
2025-11-27 06:39:52,748 WARN  [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.s.i.a.DefaultAuthenticationService user1: Authenticator 'com.atlassian.bitbucket.server.bitbucket-access-tokens:accessTokenHttpAuthHandler' threw an exception
2025-11-27 06:39:52,754 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.c.m.a.ApplicationServiceGeneric Trying to authenticate user 'user1' in directory 'LDAP server (32770)' for application 'crowd-embedded'
2025-11-27 06:39:52,764 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.c.directory.SpringLDAPConnector Performing user search: baseDN = dc=example,dc=org - filter = (&(objectclass=inetorgperson)(uid=user1)) in directory 32770
2025-11-27 06:39:52,767 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.c.d.l.monitoring.TimedSupplier Execute operation search using searchexecutor baseDN: dc=example,dc=org, filter: (&(objectclass=inetorgperson)(uid=user1))
2025-11-27 06:39:52,786 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.c.d.l.m.ExecutionInfoNameClassPairCallbackHandler The operation returned 1 results
2025-11-27 06:39:52,786 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.c.d.l.monitoring.TimedSupplier Timed call for search using searchexecutor baseDN: dc=example,dc=org, filter: (&(objectclass=inetorgperson)(uid=user1)) took 19ms
2025-11-27 06:39:52,787 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.c.directory.SpringLDAPConnector Authenticating user 'user1' with DN 'cn=user1,ou=users,dc=example,dc=org' in directory 32770
2025-11-27 06:39:52,832 INFO  [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.c.m.a.ApplicationServiceGeneric Invalid credentials for user 'user1' in directory 'LDAP server (32770)', aborting
2025-11-27 06:39:52,838 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.c.m.a.ApplicationServiceGeneric Storing user attributes for user 'user1' and application 'crowd-embedded'
2025-11-27 06:39:52,853 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.s.i.auth.DefaultCaptchaService user1: Updated failed authentication attempts from 4 to 5. A CAPTCHA is required
2025-11-27 06:39:52,854 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.s.i.a.DefaultAuthenticationService user1: Authenticator 'com.atlassian.bitbucket.server.bitbucket-authentication:crowdHttpAuthHandler' rejected the authentication attempt
2025-11-27 06:39:52,854 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider user1: Authentication failed; CAPTCHA required
2025-11-27 06:39:52,860 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.s.i.a.PluginHttpAuthenticationFailureHandler onAuthenticationFailure - delegating to com.atlassian.stash.internal.auth.RememberMeAuthenticationFailureHandler
2025-11-27 06:39:52,861 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.s.i.a.PluginHttpAuthenticationFailureHandler onAuthenticationFailure - delegating to com.atlassian.stash.internal.rest.auth.RestAuthenticationFailureHandler
2025-11-27 06:39:52,870 DEBUG [http-nio-7990-exec-386] @XELZQ2x399x29471x79 10.255.11.7,10.255.11.6 "GET /rest/api/latest/projects/pro1/repos/repo5/branches HTTP/1.1" c.a.s.i.a.PluginHttpAuthenticationFailureHandler onAuthenticationFailure - com.atlassian.stash.internal.rest.auth.RestAuthenticationFailureHandler handled authentication failure

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

            Assignee:
            Unassigned
            Reporter:
            Aman Shrivastava
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: