Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-3838

SOAP API requires un-encrypted password credential in Crowd 2.7.1

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 2.7.2
    • 2.7.1
    • SOAP
    • None

      For about four years we have been running a script to keep our Crowd groups memberships and user attributes in sync with our LDAP directory. We discovered after upgrading Crowd on our dev and test apps that our script no longer works. We have narrowed the problem down to (at a minimum) the inability to authenticate. Here are two Python examples that illustrate the behavior.

      Using Crowd 2.7.0:

      ActivePython 2.6.5.14 (ActiveState Software Inc.) based on
Python 2.6.5 (r265:79063, Jul  4 2010, 21:05:58) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import suds.client
>>> url_wsdl_prd_fixed = "file:///D:/dryan/SE/SS/Crowd/2.7.1/crowd_ssi-crowd-prd_2.7.0_fixed.wsdl.xml"
>>> c = suds.client.Client(url_wsdl_prd_fixed)
>>> auth_context = c.factory.create("ns1:ApplicationAuthenticationContext")
>>> auth_context.name = "ssp-sso-apps-prd"
>>> auth_context.credential.credential = "<password>"
>>> token = c.service.authenticateApplication(auth_context)
>>> token
(AuthenticatedToken){
   name = "ssp-sso-apps-prd"
   token = "BQw0rYa0zhf0j0ttVOnyWA00"
 }

      Using Crowd 2.7.1:

      ActivePython 2.6.5.14 (ActiveState Software Inc.) based on
Python 2.6.5 (r265:79063, Jul  4 2010, 21:05:58) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import suds.client
>>> url_wsdl_tst_fixed = "file:///D:/dryan/SE/SS/Crowd/2.7.1/crowd_ssi-crowd-tst_2.7.0_fixed.wsdl.xml"
>>> c = suds.client.Client(url_wsdl_tst_fixed)
>>> auth_context = c.factory.create("ns1:ApplicationAuthenticationContext")
>>> auth_context.name = "ssp-sso-apps-tst"
>>> auth_context.credential.credential = "<password>"
>>> token = c.service.authenticateApplication(auth_context)
No handlers could be found for logger "suds.client"
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Applications\Python26\lib\site-packages\suds-0.3.9-py2.6.egg\suds\client.py", line 539, in __call__
    return client.invoke(args, kwargs)
  File "C:\Applications\Python26\lib\site-packages\suds-0.3.9-py2.6.egg\suds\client.py", line 598, in invoke
    result = self.send(msg)
  File "C:\Applications\Python26\lib\site-packages\suds-0.3.9-py2.6.egg\suds\client.py", line 633, in send
    result = self.failed(binding, e)
  File "C:\Applications\Python26\lib\site-packages\suds-0.3.9-py2.6.egg\suds\client.py", line 684, in failed
    r, p = binding.get_fault(reply)
  File "C:\Applications\Python26\lib\site-packages\suds-0.3.9-py2.6.egg\suds\bindings\binding.py", line 238, in get_fault
    raise WebFault(p, faultroot)
suds.WebFault: Server raised fault: 'Couldn't set property {http://authentication.integration.crowd.atlassian.com}credential on com.atlassian.crowd.integration.authentication.Appli
cationAuthenticationContext@2cf8aa09[name=<null>,credential=<null>,validationFactors=<null>]. null'

      We tried taking a fresh 2.7.1 WSDL from http://ssi-crowd-tst.ptcnet.ptc.com:8095/crowd/services/SecurityServer?wsdl and applying the fixes referenced in https://jira.atlassian.com/browse/CWD-159 but no luck.

      Before we invest in a development effort to use Crowd's newer REST API instead of the SOAP API, we wanted to see if either this a truly a bug in the new Crowd version or whether there is some change we could make on our side to get our script to work.

      Thanks,
      SSI Team

        1. crowd-2.7.1-wsdl-fixed.wsd
          125 kB
        2. cwd-3838-test.py
          1 kB

          Form Name

            [CWD-3838] SOAP API requires un-encrypted password credential in Crowd 2.7.1

            Caspar Krieger (Inactive) added a comment -

            mattb, we will release Crowd 2.7.2 soon which will make any workaround in the 1.x branch of the Crowd Apache connector unnecessary.

            Caspar Krieger (Inactive) added a comment - mattb , we will release Crowd 2.7.2 soon which will make any workaround in the 1.x branch of the Crowd Apache connector unnecessary.

            Matt Brown added a comment -

            How does one modify the SOAP call when using the Apache connector and mod_perl? Is it a change to one of the Crowd Apache Connector pm files?

            Matt Brown added a comment - How does one modify the SOAP call when using the Apache connector and mod_perl? Is it a change to one of the Crowd Apache Connector pm files?

            Caspar Krieger (Inactive) added a comment - - edited

            This has been fixed in Crowd 2.7.2 so that SOAP clients will no longer need to specify <encryptedCredential>false</encryptedCredential> when making a request with an AuthenticationContext; encryptedCredential will default to false when it isn't specified in a request.

            Under the covers, we've changed the (deprecated for 6 years) SOAP-specific PasswordCredential default constructor to default to a non-encrypted password, so that when XFire Aegis creates a PasswordCredential instance using it, doesn't set whether the PasswordCredential is encrypted, and then puts it into an AuthenticationContext, then no exception will be thrown.

            Caspar Krieger (Inactive) added a comment - - edited This has been fixed in Crowd 2.7.2 so that SOAP clients will no longer need to specify <encryptedCredential>false</encryptedCredential> when making a request with an AuthenticationContext ; encryptedCredential will default to false when it isn't specified in a request. Under the covers, we've changed the (deprecated for 6 years) SOAP-specific PasswordCredential default constructor to default to a non-encrypted password, so that when XFire Aegis creates a PasswordCredential instance using it, doesn't set whether the PasswordCredential is encrypted, and then puts it into an AuthenticationContext , then no exception will be thrown.

            Caspar Krieger (Inactive) added a comment -

            web.admin a workaround fix there would be the same as everywhere else: to specify <encryptedCredential>false</encryptedCredential> in the SOAP call.

            But, hopefully we can fix the problem in Crowd 2.7.2 instead of modifying SOAP clients everywhere.

            Caspar Krieger (Inactive) added a comment - web.admin a workaround fix there would be the same as everywhere else: to specify <encryptedCredential>false</encryptedCredential> in the SOAP call. But, hopefully we can fix the problem in Crowd 2.7.2 instead of modifying SOAP clients everywhere.

            Web Services added a comment -

            This is also an issue for the mod_perl based Apache connector. What would be the fix there ?

            Web Services added a comment - This is also an issue for the mod_perl based Apache connector. What would be the fix there ?

            Caspar Krieger (Inactive) added a comment - - edited

            I will investigate how feasible it is to make Crowd's SOAP API revert to the old behaviour of assuming that a PasswordCredential in an AuthenticationContext is always unencrypted.

            I'm attaching a simple script (largely based on the code in the description) to reproduce the issue, which takes 1 or 2 arguments:

            1. path to the fixed wsdl file (already attached here)
            2. (optional) what too set the encrypted credential in the soap call to; true or false, or do not specifiy it to leave it unspecified in the soap call.

            Caspar Krieger (Inactive) added a comment - - edited I will investigate how feasible it is to make Crowd's SOAP API revert to the old behaviour of assuming that a PasswordCredential in an AuthenticationContext is always unencrypted. I'm attaching a simple script (largely based on the code in the description) to reproduce the issue, which takes 1 or 2 arguments: 1. path to the fixed wsdl file (already attached here) 2. (optional) what too set the encrypted credential in the soap call to; true or false , or do not specifiy it to leave it unspecified in the soap call.

            Caspar Krieger (Inactive) added a comment -

            Also reported earlier in this question on answers.atlassian.com.

            Caspar Krieger (Inactive) added a comment - Also reported earlier in this question on answers.atlassian.com .

            SSI Team added a comment -

            Calling auth_context.credential.encryptedCredential = False fixed it! Thanks so much for the help.

            SSI Team added a comment - Calling auth_context.credential.encryptedCredential = False fixed it! Thanks so much for the help.

            Caspar Krieger (Inactive) added a comment - - edited

            TLDR: Set auth_context.credential.encryptedCredential = False in the snippet above for Crowd 2.7.1

            Confirmed in 2.7.1 by running the sample code in the description, which does indeed succeed (after modifying Crowd's wsdl file as directed in CWD-159) with 2.7.0 but fails with 2.7.1 with a not so helpful message logged at debug level:

            2014-03-26 09:31:54,447 http-bio-8095-exec-25 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Using SessionFactory 'sessionFactory' for OpenSessionInViewFilter
2014-03-26 09:31:54,447 http-bio-8095-exec-25 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Opening Hibernate Session in OpenSessionInViewFilter
2014-03-26 09:31:54,448 http-bio-8095-exec-25 DEBUG [service.soap.xfire.XFireFaultLoggingMethodHandler] SOAP service fault for method: authenticateApplication
        java.lang.reflect.InvocationTargetException

2014-03-26 09:31:54,449 http-bio-8095-exec-25 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Closing Hibernate Session in OpenSessionInViewFilter

            I've attached the fixed WSDL file for Crowd 2.7.1 (which should and does work for 2.7.0; the unmodified WSDL files are identical for the two).

            After making some changes to the logging code so that we get some more useful logs (raised CWD-3839 to make this permanent):

            2014-03-26 10:41:24,307 http-bio-8095-exec-7 DEBUG [service.soap.xfire.XFireFaultLoggingMethodHandler] SOAP service fault for method: authenticateApplication
Couldn't set property {http://authentication.integration.crowd.atlassian.com}credential on com.atlassian.crowd.integration.authentication.ApplicationAuthenticationContext@75b89c9a[name=<null>,credential=<null>,validationFactors=<null>]. null
java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.codehaus.xfire.aegis.type.basic.BeanType.writeProperty(BeanType.java:290)
	at org.codehaus.xfire.aegis.type.basic.BeanType.readObject(BeanType.java:167)
	at org.codehaus.xfire.aegis.AegisBindingProvider.readParameter(AegisBindingProvider.java:169)
	at org.codehaus.xfire.service.binding.AbstractBinding.read(AbstractBinding.java:206)
	at org.codehaus.xfire.service.binding.WrappedBinding.readMessage(WrappedBinding.java:51)
	at org.codehaus.xfire.soap.handler.SoapBodyHandler.invoke(SoapBodyHandler.java:42)
	at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
	at org.codehaus.xfire.transport.DefaultEndpoint.onReceive(DefaultEndpoint.java:64)
	at org.codehaus.xfire.transport.AbstractChannel.receive(AbstractChannel.java:38)
	at org.codehaus.xfire.transport.http.XFireServletController.invoke(XFireServletController.java:304)
	at org.codehaus.xfire.transport.http.XFireServletController.doService(XFireServletController.java:129)
	at org.codehaus.xfire.spring.remoting.XFireServletControllerAdapter.handleRequest(XFireServletControllerAdapter.java:67)
	at com.atlassian.crowd.service.soap.SafeXmlXFireExporter.handleRequest(SafeXmlXFireExporter.java:74)
	at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:838)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:25)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
	at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
	at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:55)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:67)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:152)
	at com.atlassian.crowd.console.filter.CrowdOpenSessionInViewFilter.doFilterInternal(CrowdOpenSessionInViewFilter.java:26)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.atlassian.crowd.plugin.web.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:80)
	at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:51)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
	at com.atlassian.crowd.console.filter.CrowdDelegatingFilterProxy.doFilter(CrowdDelegatingFilterProxy.java:38)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at com.atlassian.crowd.plugin.web.filter.HttpContextFilter.doFilter(HttpContextFilter.java:34)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.IllegalArgumentException: Password credentials must not be encrypted
	at com.atlassian.crowd.integration.authentication.AuthenticationContext.checkNotEncrypted(AuthenticationContext.java:34)
	at com.atlassian.crowd.integration.authentication.AuthenticationContext.setCredential(AuthenticationContext.java:79)
	... 101 more

            I can see it's trying to set an 'encrypted' credential (i.e. the password credential instance is recorded as being encrypted, but it isn't actually; XFire (which powers Crowd's SOAP API) just uses the default PasswordCredential constructor) with the AuthenticationContext.

            In Crowd 2.7.1 we cleaned up this section of code such that passing an encrypted PasswordCredential instance into an AuthenticationContext is an error (because it doesn't make sense to try to authenticate with an encrypted password for an application, because Crowd determines the password encryption for a password).

            Hence, you can solve this by calling auth_context.credential.encryptedCredential = False in your code snippet before trying to get an application token.

            I will update the Crowd 2.7.1 release notes and the Crowd SOAP API docs to note this (unintended but shipped) backwards incompatible change. I've updated this issue's summary as well.

            Caspar Krieger (Inactive) added a comment - - edited TLDR: Set auth_context.credential.encryptedCredential = False in the snippet above for Crowd 2.7.1 Confirmed in 2.7.1 by running the sample code in the description, which does indeed succeed (after modifying Crowd's wsdl file as directed in CWD-159 ) with 2.7.0 but fails with 2.7.1 with a not so helpful message logged at debug level: 2014-03-26 09:31:54,447 http-bio-8095-exec-25 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Using SessionFactory 'sessionFactory' for OpenSessionInViewFilter 2014-03-26 09:31:54,447 http-bio-8095-exec-25 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Opening Hibernate Session in OpenSessionInViewFilter 2014-03-26 09:31:54,448 http-bio-8095-exec-25 DEBUG [service.soap.xfire.XFireFaultLoggingMethodHandler] SOAP service fault for method: authenticateApplication java.lang.reflect.InvocationTargetException 2014-03-26 09:31:54,449 http-bio-8095-exec-25 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Closing Hibernate Session in OpenSessionInViewFilter I've attached the fixed WSDL file for Crowd 2.7.1 (which should and does work for 2.7.0; the unmodified WSDL files are identical for the two). After making some changes to the logging code so that we get some more useful logs (raised CWD-3839 to make this permanent): 2014-03-26 10:41:24,307 http-bio-8095-exec-7 DEBUG [service.soap.xfire.XFireFaultLoggingMethodHandler] SOAP service fault for method: authenticateApplication Couldn't set property {http: //authentication.integration.crowd.atlassian.com}credential on com.atlassian.crowd.integration.authentication.ApplicationAuthenticationContext@75b89c9a[name=< null >,credential=< null >,validationFactors=< null >]. null java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.codehaus.xfire.aegis.type.basic.BeanType.writeProperty(BeanType.java:290) at org.codehaus.xfire.aegis.type.basic.BeanType.readObject(BeanType.java:167) at org.codehaus.xfire.aegis.AegisBindingProvider.readParameter(AegisBindingProvider.java:169) at org.codehaus.xfire.service.binding.AbstractBinding.read(AbstractBinding.java:206) at org.codehaus.xfire.service.binding.WrappedBinding.readMessage(WrappedBinding.java:51) at org.codehaus.xfire.soap.handler.SoapBodyHandler.invoke(SoapBodyHandler.java:42) at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131) at org.codehaus.xfire.transport.DefaultEndpoint.onReceive(DefaultEndpoint.java:64) at org.codehaus.xfire.transport.AbstractChannel.receive(AbstractChannel.java:38) at org.codehaus.xfire.transport.http.XFireServletController.invoke(XFireServletController.java:304) at org.codehaus.xfire.transport.http.XFireServletController.doService(XFireServletController.java:129) at org.codehaus.xfire.spring.remoting.XFireServletControllerAdapter.handleRequest(XFireServletControllerAdapter.java:67) at com.atlassian.crowd.service.soap.SafeXmlXFireExporter.handleRequest(SafeXmlXFireExporter.java:74) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:838) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) at com.atlassian.applinks.core. rest .context.ContextFilter.doFilter(ContextFilter.java:25) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:55) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:67) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:152) at com.atlassian.crowd.console.filter.CrowdOpenSessionInViewFilter.doFilterInternal(CrowdOpenSessionInViewFilter.java:26) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.crowd.plugin.web.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:80) at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:51) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at com.atlassian.crowd.console.filter.CrowdDelegatingFilterProxy.doFilter(CrowdDelegatingFilterProxy.java:38) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.crowd.plugin.web.filter.HttpContextFilter.doFilter(HttpContextFilter.java:34) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang. Thread .run( Thread .java:744) Caused by: java.lang.IllegalArgumentException: Password credentials must not be encrypted at com.atlassian.crowd.integration.authentication.AuthenticationContext.checkNotEncrypted(AuthenticationContext.java:34) at com.atlassian.crowd.integration.authentication.AuthenticationContext.setCredential(AuthenticationContext.java:79) ... 101 more I can see it's trying to set an 'encrypted' credential (i.e. the password credential instance is recorded as being encrypted, but it isn't actually; XFire (which powers Crowd's SOAP API) just uses the default PasswordCredential constructor) with the AuthenticationContext. In Crowd 2.7.1 we cleaned up this section of code such that passing an encrypted PasswordCredential instance into an AuthenticationContext is an error (because it doesn't make sense to try to authenticate with an encrypted password for an application, because Crowd determines the password encryption for a password). Hence, you can solve this by calling auth_context.credential.encryptedCredential = False in your code snippet before trying to get an application token. I will update the Crowd 2.7.1 release notes and the Crowd SOAP API docs to note this (unintended but shipped) backwards incompatible change. I've updated this issue's summary as well.

              ckrieger Caspar Krieger (Inactive)
              30fa40b9e6fe SSI Team
              Affected customers:
              0 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: