-
Bug
-
Resolution: Fixed
-
Medium
-
7.4.8, 7.8.3, 7.9.3, 7.10.2, 7.11.2
-
7
-
Severity 2 - Major
-
28
-
Problem
When attempting to configure an Application Link to a non-Atlassian generic application:
- A warning for XSRF Security Token Missing will prevent any authentication configuration changes to be saved
Environment
Reproduce in local environment using
- Confluence Server version 7.8.3
Here is also a list of binaries that have been tested
atlassian-confluence-7.11.2-x64.bin / fail
atlassian-confluence-7.10.2-x64.bin / fail
atlassian-confluence-7.9.3-x64.bin / fail
atlassian-confluence-7.8.3-x64.bin / fail
atlassian-confluence-7.7.4-x64.bin / fail
atlassian-confluence-7.6.3-x64.bin / fail
atlassian-confluence-7.4.8-x64.bin / fail
atlassian-confluence-7.4.7-x64.bin / fail
atlassian-confluence-7.4.6-x64.bin / fail
atlassian-confluence-7.4.3-x64.bin / Success
atlassian-confluence-7.4.1-x64.bin / Success
Steps to Reproduce
- Create a new application link - we used https://www.thisisanapplicationlinktest.com just for testing
- Proceed with the creation and then Edit the new entry
- Try to save changes in either the menu for outgoing authentication or incoming authentication
Expected Results
- We expect to be able to save the changes against the application link
- We expect to see the template correctly rendered
Actual Results
- Instead we will receive a warning message on XSRF Security Token Missing message
- The template for these menus is not properly rendered
- Stack Trace as seen in the application logs. Full Stack trace as seen during the Bug reproduction is in attachments below.
Workaround
To edit Oauth configurations:
- Delete the applink you would like to edit
- Re-create the applink
- On `Configure Application URL` dialog, fill out the whole form, don't check `Use this URL` checkbox and continue
- On `Link Application` dialog, fill out the whole form and check `create incoming link` and continue
- Fill out the final form and submit
Notes
The recording is attached to illustrate the issue. XSRF Security Token Missing - Application Links.mp4
[CONFSERVER-65064] Custom Application Link Configuration not working due to XSRF Security Token Missing message
A fix for this issue is available to Server and Data Center customers in Confluence 7.16.1
Upgrade now or check out the Release Notes to see what other issues are resolved.
Hi d015c682dc2c,
This issue is also scheduled to be released on 7.16.1 and 7.17.0 if you can wait for the same.
Thanks
@Quan Pham
As noted in my comment, the version we get this issue in is 7.14.0, so moving to 7.13.4 would be a downgrade, not an upgrade
A fix for this issue is available to Server and Data Center customers in Confluence 7.13.4
Upgrade now or check out the Release Notes to see what other issues are resolved.
hi
So, I just ran in the exact same issue in 7.14.0, but it seems the workaround mentioned above is not possible anymore (tried a few times, with all different options)
Any idea on the root cause and how to make this work in 2022?
Hi @ Richard .
Looks like as if this issue is the last one blocking the 7.4.10 release.
We're on the long term support version and need the release asap because security audit reveals the known Apache Tomcat vulnerabilities. Updating the tomcat only is possible but would not be supported by Atlassian.
Can you please let us know when the release is available.
Please accept my apologies for incorrectly marking the patch for this issue available in 7.12.2. The patch will in fact ship in 7.12.3.
I didn't update the version in time and it was accidentally picked up during the 7.12.2 release process yesterday.
The workaround worked for me. However, it does not allow setting some of the values in the incoming auth such as Consumer Callback URL. Fortunately I don't require them. It also creates a outgoing auth which I don't require so I just filled it with dummy values.
A fix for this issue is available in Confluence Server and Data Center 7.17.0.
Upgrade now or check out the Release Notes to see what other issues are resolved.