Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.5.1
Affects Version/s: 5.4.3
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

The new implementation of the trusted apps library (since Confluence 5.4.3) seems to have introduced a new and rather strange issue: trusted tokens being already invalid when the TrustedApplicationFilterAuthenticator tries to verify them.

I believe this happens when Confluence has been running for some time, as restarting seems to resolve it at least for some time.

I've run into this on a local instance and debugged into the code a bit. I found that the new code for encoding the tokens was rather slow (like several 100ms).
In particular the DefaultCurrentApplication.encode(username, url) method was slow. This was with protocol version 2 code path.

This is a typical example from our logs:

2014-03-19 15:15:48,754 DEBUG [pool-39-thread-1] [core.renderer.impl.ImageTextRenderer] exportImage Downloading image from source: /confluence/download/attachments/7767494/Adding_pagekey.001.png?version=1&modificationDate=1394805389217&api=v2
2014-03-19 15:15:51,523 WARN [pool-39-thread-1] [scroll.confluence.io.HttpMethodWrapper] makeTrustedMethod Trusted method generation took 2768ms for address: http://[0:0:0:0:0:0:0:1]:1990/confluence/download/attachments/7767494/Adding_pagekey.001.png?version=1&modificationDate=1394805389217&api=v2
 -- scrollExportCurrentPage: Adding a Page Key | referer: http://localhost:1990/confluence/display/VSN10/Adding+a+Page+Key | url: /confluence/rest/scroll-html/1.0/export | userName: admin
2014-03-19 15:15:51,524 DEBUG [pool-39-thread-1] [scroll.core.io.Resource] getContentAsStream Loading resource from http://[0:0:0:0:0:0:0:1]:1990/confluence/download/attachments/7767494/Adding_pagekey.001.png?version=1&modificationDate=1394805389217&api=v2
2014-03-19 15:15:51,549 WARN [http-1990-20] [auth.trustedapps.filter.TrustedApplicationFilterAuthenticator] authenticate Failed to login trusted application: confluence:11591817 due to: com.atlassian.security.auth.trustedapps.CertificateTooOldException: Certificate too old. Application: confluence:11591817 Certificate Created: Wed Mar 19 15:15:50 CET 2014 Timeout: 1000
2014-03-19 15:15:51,552 WARN [pool-39-thread-1] [scroll.core.io.Resource] getContentAsStream TrustedApplicationsFilter could not authenticate request 'http://[0:0:0:0:0:0:0:1]:1990/confluence/download/attachments/7767494/Adding_pagekey.001.png?version=1&modificationDate=1394805389217&api=v2'.

As you can see almost 3 seconds passed between the very first DEBUG and the first WARN lines. We then immediately do the HTTP call, and the TrustedApplicationFilterAuthenticator handled the request only 25ms later.
However since trustedTokenAuthenticator.makeMethod() took so long, the token has already expired (second WARN). And finally our exporter wasn't able to download the image (last WARN).

This is how we create the method:

TrustedTokenAuthenticator trustedTokenAuthenticator = new TrustedTokenAuthenticator(this.trustedTokenFactory);
long before = System.currentTimeMillis();
method = trustedTokenAuthenticator.makeMethod(httpClient, href);
long duration = System.currentTimeMillis() - before;
if (duration > 100) {
    logger.warn("Trusted method generation took " + duration + "ms for address: " + href);
}

Attachments

Issue Links

relates to

CONFSERVER-33456 Heavy use of Trusted Apps appears to be causing Confluence to slow down

Closed

is blocked by: TRUST-43 Loading...

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Giang Vo

Reporter:: Jens Rutschmann [K15t]

Votes:: 6 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 26/Mar/2014 10:53 AM

Updated:: 11/Oct/2018 9:02 AM

Resolved:: 07/May/2014 9:47 AM