Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-100309

Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance.

      Summary

      Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on CONFSERVER-81515 and Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.

      Version info

      • Confluence 9.2.6 LTS

      Description

      Issue Summary

      Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.

      Steps to Reproduce

      1. Deploy a Confluence 9.2.6.
      2. Configure SSO/SAML integration in Confluence (optional).
      3. Configure an external directory in Confluence and synchronize groups.
      4. Add such groups to Confluence's Global Permission and grant them admin permissions.
      5. Remove the external directory from Confluence.
      6. Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a Not found message below them.
      7. Try to authenticate with a user that is not a member of the confluence-administrator group.

      Expected Results

      Users not in an administrative group should be able to authenticate.

      Actual Results

      Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.

      2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n  ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de
      2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception
      2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de
      2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only...
      2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null
      ...
      2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n  ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de
      2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause:  -- traceId: b7fcde203d7c60de 

      That's associated with the following situation on Global Permissions:

      Workaround

      Workaround 1: Remove all admin permissions for all 'not found' groups.

      Workaround 2: Use the web UI to remove the 'not found' group records from the Global Permissions menu.

      Workaround 3: Delete the faulty groups from the database:

      1. Stop your instance.
      2. Make a full database backup,
      3. On the database, run the following query to get the records for the deleted group:
        SELECTFROM spacepermissions 
        WHERE permgroupname not in (Select group_name from cwd_group); 
      4. Delete these records after verification:
        DELETE
        FROM spacepermissions
        WHERE permgroupname not in (Select group_name from cwd_group);
      5. Start your instance and check if the users can authenticate.

            [CONFSERVER-100309] Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance.

            No work has yet been logged on this issue.

              0d5f90a92d3b Aadil Akhtar
              8ccca53078e5 Marcelo da Costa
              Affected customers:
              2 This affects my team
              Watchers:
              11 Start watching this issue

                Created:
                Updated: