Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-5364

2LOi requests made from an application that has the username in a different case than FishEye/Crucible aren't authenticated properly even if 'force lowercase' is set

    XMLWordPrintable

Details

    Description

      The implementation of com.atlassian.sal.api.user.UserManager#resolve, doesn't consider the 'force lowercase'
      setting when processing the username provided in the 2LO request. This will cause the request to continue being processed as anonymous (as the 2lo validation succeeds, but it didn't have a valid username).

      This potentially affects other auth methods that try to resolve a username (like trusted apps). 3LO is not affected, as the exact-cased username is stored with the 3LO token when creating the token.

      Effects of this might include requests made from other applications with such a configuration to be treated as anonymous requests, and show incomplete or no data, depending on the request type and Fisheye's configuration.

      A workaround is to use 3-legged OAuth for such configurations.

      Attachments

        Issue Links

          Activity

            People

              lpater Lukasz Pater
              lpater Lukasz Pater
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: