Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.13.2, 7.16.2, 7.17.1
-
None
-
2
-
Severity 3 - Minor
-
1
-
Description
Issue Summary
When Jira and Confluence are connected through an application link with impersonation, rendering a Jira Issues Macro (JIM) may fail if the Confluence user has an account on Jira without any application access and Jira Service Management is installed.
Instead of showing a friendly message saying the user may not have access to the issue, JIM renders the following error message:
java.io.IOException: Error on line 12: The entity name must immediately follow the '&' in the entity reference.
Steps to Reproduce
- Install a vanilla instance of Confluence.
- This was validated on Confluence versions 7.17.1, 7.16.1, 7.13.2.
- Install a vanilla instance of Jira Software.
- This was validate on Jira version 8.22.2.
- Create an application link with impersonation enabled.
- On Jira, create a sample software project and an issue in this project.
- Create the same user on both Jira and Confluence.
- On Confluence, create a sample page and add a Jira issue macro (JIM).
- Authenticate to Confluence as the regular user and access the page with JIM.
- On Jira, remove JSW access to the regular user.
- On Confluence, access the page with JIM an note the macro renders a meaningful message.
- On Jira, install Jira Service Management (JSM).
- On Confluence, try to load the same page with JIM.
Expected Results
The macro renders the same problem authenticating message.
Actual Results
The macro renders an exception that isn't meaningful to the user.
java.io.IOException: Error on line 12: The entity name must immediately follow the '&' in the entity reference.
A similar error appears on the Confluence application logs.
2022-05-03 15:50:58,980 ERROR [JIM Marshaller:thread-9] [extra.jira.request.JiraChannelResponseHandler] getChannelElement Error while trying to assemble the issues returned in XML format: Error on line 12: The entity name must immediately follow the '&' in the entity reference. -- url: /c7161/pages/viewpage.action | page: 983043 | traceId: e50779fe8e749f68 | userName: user007 | referer: http://localhost:27161/c7161/dologin.action | action: viewpage
Additional notes
- If the application link is configured without impersonation, then the error won't happen even if the user authenticates on Jira (as a customer).
- If the user on Confluence doesn't have an account on Jira, then JIM renders a more friendly message: Jira issue doesn't exist or you don't have permission to view it.
- The issue happens because Jira redirects the request from Confluence to the customer portal and Confluence is following that redirect. If Jira is redirecting a request to the customer portal, then JIM code (on Confluence) should consider it a permission error and show a message about permissions instead of following the redirect.
127.0.0.1 1222x1946x1 user001 [26/Apr/2022:20:22:26 -0300] "DELETE /j8206/rest/api/latest/issue/ITSM-3/remotelink?globalId=appId%3D1c5c20d4-eea5-3d8c-a996-32b9ac0e3584%26pageId%3D360470&xoauth_requestor_id=user001 HTTP/1.1" 302 - 80 "-" "Apache-HttpClient/4.5.13 (Java/1.8.0_312)" "ynm1k4" 127.0.0.1 1222x1947x1 - [26/Apr/2022:20:22:26 -0300] "DELETE /j8206/servicedesk/customer/portals- HTTP/1.1" 401 24 3 "-" "Apache-HttpClient/4.5.13 (Java/1.8.0_312)" "-"
Workaround
Configure the application link without impersonation.