-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 7.1.0
-
Component/s: Core features
-
None
-
1
-
Severity 3 - Minor
-
1
Problem
Methods for OAuth2 usage are not whitelisted by default
Environment
Reproduced in Crowd 7.10
Steps to Reproduce
- Installing Crowd 7.1.0 on SSL with no context path:
- Added JVM flags
JAVA_OPTS="-Datlassian.oauth2.provider.skip.base.url.https.requirement=true $JAVA_OPTS"JAVA_OPTS="-Datlassian.oauth2.provider.skip.redirect.url.https.requirement=true $JAVA_OPTS"
- Added JVM flags
- Installed Bamboo 11.0.8
- added JVM flags
JVM_SUPPORT_RECOMMENDED_ARGS="-Datlassian.velocity.method.allowlist.debug=true -Datlassian.oauth2.provider.skip.base.url.https.requirement=true $JVM_SUPPORT_RECOMMENDED_ARGS"
- added JVM flags
- Create an OAuth 2.0 application link between Crowd and Bamboo
- In Crowd, navigate to 'My Profile' and select 'Authorized Applications'.
Expected Results
Access the Profile > Authorized Applications with no system exception
Actual Results
A system exception happens
/plugins/servlet/oauth/users/access-tokens; user: admin ERROR [ContainerBase.[Catalina].[localhost].[/]] Unhandled exception occurred whilst decorating page com.atlassian.templaterenderer.RenderingException: org.apache.velocity.exception.MethodInvocationException: Invocation of method 'format' in class java.text.SimpleDateFormat threw exception java.lang.IllegalArgumentException: Cannot format given Object as a Date at /templates/user/access-tokens-body.vm[line 44, column 129] at com.atlassian.templaterenderer.velocity.one.six.internal.VelocityTemplateRendererImpl.render(VelocityTemplateRendererImpl.java:161) ~[?:?] at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ~[?:?] at java.base/java.lang.reflect.Method.invoke(Method.java:580) ~[?:?] at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:360) ~[spring-aop-6.2.11.jar:6.2.11] at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:56) ~[?:?] ... at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:223) ~[spring-aop-6.2.11.jar:6.2.11] at jdk.proxy12/jdk.proxy12.$Proxy416.render(Unknown Source) ~[?:?] at com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServlet.render(AccessTokensServlet.java:53) ~[?:?] at com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensUserProfileServlet.doGet(AccessTokensUserProfileServlet.java:49) ~[?:?] ... at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:51) ~[atlassian-plugins-servlet-9.0.0.jar:?] at com.atlassian.crowd.console.filter.CrowdServletModuleContainerServlet.service(CrowdServletModuleContainerServlet.java:94) ~[classes/:?] ... at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:10.1.43] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1189) ~[tomcat-util.jar:10.1.43] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:658) ~[tomcat-util.jar:10.1.43] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-util.jar:10.1.43] at java.base/java.lang.Thread.run(Thread.java:1583) [?:?] Caused by: org.apache.velocity.exception.MethodInvocationException: Invocation of method 'format' in class java.text.SimpleDateFormat threw exception java.lang.IllegalArgumentException: Cannot format given Object as a Date at /templates/user/access-tokens-body.vm[line 44, column 129] at org.apache.velocity.runtime.parser.node.ASTMethod.handleInvocationException(ASTMethod.java:342) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:284) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] ... at org.apache.velocity.Template.merge(Template.java:336) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at org.apache.velocity.Template.merge(Template.java:237) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at com.atlassian.templaterenderer.velocity.one.six.internal.VelocityTemplateRendererImpl.render(VelocityTemplateRendererImpl.java:150) ~[?:?] ... 289 more Caused by: java.lang.IllegalArgumentException: Cannot format given Object as a Date at java.base/java.text.DateFormat.format(DateFormat.java:342) ~[?:?] at java.base/java.text.Format.format(Format.java:159) ~[?:?] at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ~[?:?] at java.base/java.lang.reflect.Method.invoke(Method.java:580) ~[?:?] at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:418) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:407) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at com.atlassian.velocity.htmlsafe.introspection.UnboxingMethod.invoke(UnboxingMethod.java:28) ~[velocity-htmlsafe-5.0.1.jar:?] at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:270) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at org.apache.velocity.runtime.directive.Parse.render(Parse.java:263) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:175) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:336) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at org.apache.velocity.Template.merge(Template.java:336) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at org.apache.velocity.Template.merge(Template.java:237) ~[velocity-1.6.4-atlassian-jakarta-38.jar:?] at com.atlassian.templaterenderer.velocity.one.six.internal.VelocityTemplateRendererImpl.render(VelocityTemplateRendererImpl.java:150) ~[?:?] ... 289 more
We can further isolate methods causing problems
2025-11-14 16:40:45,957 http-nio-8095-exec-17 url: /plugins/servlet/oauth/users/access-tokens; user: admin WARN [velocity-runtime] Invocation blocked as method is not allowlisted: com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext$TokenRepresentation#getConsumerUri() 2025-11-14 16:40:45,959 http-nio-8095-exec-17 url: /plugins/servlet/oauth/users/access-tokens; user: admin WARN [velocity-runtime] Invocation blocked as method is not allowlisted: com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext$TokenRepresentation#getConsumerUri() 2025-11-14 16:40:45,959 http-nio-8095-exec-17 url: /plugins/servlet/oauth/users/access-tokens; user: admin WARN [velocity-runtime] Invocation blocked as method is not allowlisted: com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext$TokenRepresentation#getToken() 2025-11-14 16:40:45,959 http-nio-8095-exec-17 url: /plugins/servlet/oauth/users/access-tokens; user: admin WARN [velocity-runtime] Invocation blocked as method is not allowlisted: com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext$TokenRepresentation#getConsumerName() 2025-11-14 16:40:45,959 http-nio-8095-exec-17 url: /plugins/servlet/oauth/users/access-tokens; user: admin WARN [velocity-runtime] Invocation blocked as method is not allowlisted: com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext$TokenRepresentation#getConsumerHostName() 2025-11-14 16:40:45,959 http-nio-8095-exec-17 url: /plugins/servlet/oauth/users/access-tokens; user: admin WARN [velocity-runtime] Invocation blocked as method is not allowlisted: com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext$TokenRepresentation#getCreationTime()
Workaround
Adding this to Crowd setenv.sh allows the correct methods and makes the integration work:
JAVA_OPTS="-Datlassian.velocity.method.allowlist.extra=\"com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext\\\$TokenRepresentation#getConsumerUri(),com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext\\\$TokenRepresentation#getConsumerUri(),com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext\\\$TokenRepresentation#getToken(),com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext\\\$TokenRepresentation#getConsumerName(),com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext\\\$TokenRepresentation#getConsumerHostName(),com.atlassian.oauth.serviceprovider.internal.servlet.user.AccessTokensServletContext\\\$TokenRepresentation#getCreationTime()\" ${JAVA_OPTS}"
Though the customer should not need to add JVM flags for native functionality
Notes
- is cloned by
-
KRAK-8423 Loading...