Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.4.3
-
None
Description
The new implementation of the trusted apps library (since Confluence 5.4.3) seems to have introduced a new and rather strange issue: trusted tokens being already invalid when the TrustedApplicationFilterAuthenticator tries to verify them.
I believe this happens when Confluence has been running for some time, as restarting seems to resolve it at least for some time.
I've run into this on a local instance and debugged into the code a bit. I found that the new code for encoding the tokens was rather slow (like several 100ms).
In particular the DefaultCurrentApplication.encode(username, url) method was slow. This was with protocol version 2 code path.
This is a typical example from our logs:
2014-03-19 15:15:48,754 DEBUG [pool-39-thread-1] [core.renderer.impl.ImageTextRenderer] exportImage Downloading image from source: /confluence/download/attachments/7767494/Adding_pagekey.001.png?version=1&modificationDate=1394805389217&api=v2 2014-03-19 15:15:51,523 WARN [pool-39-thread-1] [scroll.confluence.io.HttpMethodWrapper] makeTrustedMethod Trusted method generation took 2768ms for address: http://[0:0:0:0:0:0:0:1]:1990/confluence/download/attachments/7767494/Adding_pagekey.001.png?version=1&modificationDate=1394805389217&api=v2 -- scrollExportCurrentPage: Adding a Page Key | referer: http://localhost:1990/confluence/display/VSN10/Adding+a+Page+Key | url: /confluence/rest/scroll-html/1.0/export | userName: admin 2014-03-19 15:15:51,524 DEBUG [pool-39-thread-1] [scroll.core.io.Resource] getContentAsStream Loading resource from http://[0:0:0:0:0:0:0:1]:1990/confluence/download/attachments/7767494/Adding_pagekey.001.png?version=1&modificationDate=1394805389217&api=v2 2014-03-19 15:15:51,549 WARN [http-1990-20] [auth.trustedapps.filter.TrustedApplicationFilterAuthenticator] authenticate Failed to login trusted application: confluence:11591817 due to: com.atlassian.security.auth.trustedapps.CertificateTooOldException: Certificate too old. Application: confluence:11591817 Certificate Created: Wed Mar 19 15:15:50 CET 2014 Timeout: 1000 2014-03-19 15:15:51,552 WARN [pool-39-thread-1] [scroll.core.io.Resource] getContentAsStream TrustedApplicationsFilter could not authenticate request 'http://[0:0:0:0:0:0:0:1]:1990/confluence/download/attachments/7767494/Adding_pagekey.001.png?version=1&modificationDate=1394805389217&api=v2'.
As you can see almost 3 seconds passed between the very first DEBUG and the first WARN lines. We then immediately do the HTTP call, and the TrustedApplicationFilterAuthenticator handled the request only 25ms later.
However since trustedTokenAuthenticator.makeMethod() took so long, the token has already expired (second WARN). And finally our exporter wasn't able to download the image (last WARN).
This is how we create the method:
TrustedTokenAuthenticator trustedTokenAuthenticator = new TrustedTokenAuthenticator(this.trustedTokenFactory); long before = System.currentTimeMillis(); method = trustedTokenAuthenticator.makeMethod(httpClient, href); long duration = System.currentTimeMillis() - before; if (duration > 100) { logger.warn("Trusted method generation took " + duration + "ms for address: " + href); }
Attachments
Issue Links
- relates to
-
CONFSERVER-33456 Heavy use of Trusted Apps appears to be causing Confluence to slow down
- Closed
- is blocked by
-
TRUST-43 Loading...