[FE-5364] 2LOi requests made from an application that has the username in a different case than FishEye/Crucible aren't authenticated properly even if 'force lowercase' is set

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 3.8.1, 3.9.0
Affects Version/s: 2.2.0, 3.6.4
Component/s: None
Labels:
- oauth
- pse-request
- sal

Bug Fix Policy:
View Atlassian Server bug fix policy

The implementation of com.atlassian.sal.api.user.UserManager#resolve, doesn't consider the 'force lowercase'
setting when processing the username provided in the 2LO request. This will cause the request to continue being processed as anonymous (as the 2lo validation succeeds, but it didn't have a valid username).

This potentially affects other auth methods that try to resolve a username (like trusted apps). 3LO is not affected, as the exact-cased username is stored with the 3LO token when creating the token.

Effects of this might include requests made from other applications with such a configuration to be treated as anonymous requests, and show incomplete or no data, depending on the request type and Fisheye's configuration.

A workaround is to use 3-legged OAuth for such configurations.

Testing discovered

CRUC-6968 Review keys in review title get wrongly shown on JIRA issues matching a substring of the key

Closed

Discovered while testing: JSP-202595 You do not have permission to view this issue

mentioned in: Page Failed to load; Page Failed to load

Form Name

Assignee:: Lukasz Pater

Reporter:: Lukasz Pater

Affected customers:: 2 This affects my team

Watchers:: 7 Start watching this issue

Created:: 16/Oct/2014 11:00 AM

Updated:: 26/Jan/2016 7:41 AM

Resolved:: 16/Jun/2015 12:13 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates