Details
-
Bug
-
Resolution: Timed out
-
Low
-
3.1.0, 3.7.0
-
None
-
Severity 3 - Minor
-
3
-
Description
Summary
If a user tries to approve an OAuth token from another application (like JIRA), while they're logged in using only the admin password (not logged in as an actual user) in FishEye/Crucible, they'll see a screen to confirm the access as user '$admin$', and allowing that leads to an exception.
Steps to Reproduce
- As an admin user, attempt to approve an OAuth token from another application.
Actual Results
The token is able to be authorised.
Expected Results
The below exception is thrown:
[java] 2015-02-05 15:35:00,573 ERROR - Exception "user" (java.lang.NullPointerException) while processing "/foo/plugins/servlet/oauth/authorize" (Referer:"http://lpater-dev.atlassian.pl:6060/foo/plugins/servlet/oauth/authorize") [java] java.lang.NullPointerException: user [java] at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:204) [java] at com.atlassian.oauth.serviceprovider.ServiceProviderToken.authorize(ServiceProviderToken.java:165) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.authorize.PostAuthorization.process(PostAuthorization.java:63) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.authorize.AuthorizeServlet.process(AuthorizeServlet.java:112) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.authorize.AuthorizeServlet.doPostInTransaction(AuthorizeServlet.java:79) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.TransactionalServlet$2.serve(TransactionalServlet.java:55) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.TransactionalServlet$3.doInTransaction(TransactionalServlet.java:69) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.TransactionalServlet$3.doInTransaction(TransactionalServlet.java:64) [java] at com.atlassian.sal.core.transaction.HostContextTransactionTemplate$1.doInTransaction(HostContextTransactionTemplate.java:25) [java] at com.atlassian.sal.spring.component.SpringHostContextAccessor$1.doInTransaction(SpringHostContextAccessor.java:88) [java] at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:130) [java] at com.atlassian.sal.spring.component.SpringHostContextAccessor.doInTransaction(SpringHostContextAccessor.java:82) [java] at com.atlassian.fisheye.plugin.FisheyeHostContextAccessor.doInTransaction(FisheyeHostContextAccessor.java:46) [java] at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source) [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [java] at java.lang.reflect.Method.invoke(Method.java:606) [java] at com.atlassian.plugin.osgi.hostcomponents.impl.DefaultComponentRegistrar$ContextClassLoaderSettingInvocationHandler.invoke(DefaultComponentRegistrar.java:129) [java] at com.sun.proxy.$Proxy144.doInTransaction(Unknown Source) [java] at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source) [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [java] at java.lang.reflect.Method.invoke(Method.java:606) [java] at com.atlassian.plugin.osgi.bridge.external.HostComponentFactoryBean$DynamicServiceInvocationHandler.invoke(HostComponentFactoryBean.java:154) [java] at com.sun.proxy.$Proxy144.doInTransaction(Unknown Source) [java] at com.atlassian.sal.core.transaction.HostContextTransactionTemplate.execute(HostContextTransactionTemplate.java:21) [java] at sun.reflect.GeneratedMethodAccessor141.invoke(Unknown Source) [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [java] at java.lang.reflect.Method.invoke(Method.java:606) [java] at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) [java] at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:58) [java] at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:62) [java] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) [java] at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131) [java] at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119) [java] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) [java] at org.springframework.osgi.service.util.internal.aop.ServiceTCCLInterceptor.invokeUnprivileged(ServiceTCCLInterceptor.java:56) [java] at org.springframework.osgi.service.util.internal.aop.ServiceTCCLInterceptor.invoke(ServiceTCCLInterceptor.java:39) [java] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) [java] at org.springframework.osgi.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:59) [java] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) [java] at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131) [java] at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119) [java] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) [java] at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) [java] at com.sun.proxy.$Proxy585.execute(Unknown Source) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.TransactionalServlet.serve(TransactionalServlet.java:63) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.TransactionalServlet.doPost(TransactionalServlet.java:36) [java] at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) [java] at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) [java] at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:42) [java] at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) [java] at com.atlassian.fisheye.plugin.servlet.FisheyeServletModuleContainerServlet.service(FisheyeServletModuleContainerServlet.java:96) [java] at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) [java] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:669) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1526) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:25) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter.doFilter(PrettyUrlsSiteMeshFixupFilter.java:36) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.prettyurls.filter.PrettyUrlsDispatcherFilter.doFilter(PrettyUrlsDispatcherFilter.java:60) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter.doFilter(PrettyUrlsSiteMeshFilter.java:92) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.prettyurls.filter.PrettyUrlsMatcherFilter.doFilter(PrettyUrlsMatcherFilter.java:56) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) [java] at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) [java] at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:54) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) [java] at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83) [java] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.atlassian.crucible.filters.CrucibleFilter.doFilter(CrucibleFilter.java:148) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.cenqua.fisheye.web.filters.TotalityFilter.doFilter(TotalityFilter.java:301) [java] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [java] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:100) [java] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [java] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:69) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) [java] at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:82) [java] at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:256) [java] at com.cenqua.fisheye.web.filters.CustomIncludableGzipFilter.doFilter(CustomIncludableGzipFilter.java:27) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.cenqua.fisheye.web.filters.ProductInfoFilter.doFilter(ProductInfoFilter.java:44) [java] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [java] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66) [java] at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61) [java] at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74) [java] at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) [java] at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) [java] at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.cenqua.fisheye.web.filters.UpfrontFilter.doFilter(UpfrontFilter.java:60) [java] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [java] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at com.atlassian.fecru.profiling.ProfilingServletFilter.doFilter(ProfilingServletFilter.java:88) [java] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [java] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [java] at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1502) [java] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:455) [java] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) [java] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) [java] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) [java] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1075) [java] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:384) [java] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) [java] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1009) [java] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) [java] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255) [java] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154) [java] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) [java] at org.eclipse.jetty.server.Server.handle(Server.java:368) [java] at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) [java] at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:953) [java] at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1014) [java] at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:861) [java] at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) [java] at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) [java] at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628) [java] at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) [java] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) [java] at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) [java] at java.lang.Thread.run(Thread.java:745)
Notes
This is due to FishEye's SAL implementation returning a fake user for the admin password session, that isn't an actual user in the system.
Workaround
Workaround is to log in as an actual user to confirm OAuth tokens, and not use the admin password account for that.
Attachments
Issue Links
- clones
-
FUSE-2212 Loading...