-
Bug
-
Resolution: Fixed
-
High
-
4.1, 4.2
-
4.01
-
Patch Vailable For JIRA 4.1.2
There is now a patch available for JIRA 4.1.2 customers.
It consists of the following files
jira-gadgets-plugin-4.1.2_JRA21876.jar
JRA-21876-4.1.2-patch-instructions.txt
NOTES :
This patch also requires that you update the jira-gadgets-plugin that has been shipped with JIRA.
To update this bundled plugin you also need to place jira-gadgets-plugin-4.1.2_JRA21876.jar into
'<JIRA_HOME>/plugins/installed-plugins'. It will then be loaded and will override the
version that is shipped with JIRA.
WINDOWS USERS : Do not use the built in Windows ZIP extractor to apply this patch!
By default it replaces all the files in a directory instead of merging the files in.
If this happens, JIRA will not be able to work correctly. Use another zip tool such
as WinZip or 7-Zip.
How to apply this patch
==========================
Before applying the patch file, make a copy of your JIRA web application directory in case
things go wrong. This will allow you to more easily back out any changes.
If you are using the Standalone distribution of JIRA:
1. Download the file JRA-21876-4.1.2-patch.zip
2. Expand the zip file into <jira_install_dir>/atlassian-jira/ overwriting the files there
3. Restart JIRA
If you are using the WAR distribution of JIRA:
1. Download the file JRA-21876-4.1.2-patch.zip
2. Expand the zip file to <jira_install_dir>/webapp overwriting the files there
3. Run 'build.sh clean' on unix or 'build.bat clean' on windows
4. Run 'build.sh' on unix or 'build.bat' on windows
5. Redeploy the JIRA web app into your application server
The patch zip file contains the following files :
Archive: patch-JRA-21876/patches/JRA-21876-4.1.2-patch.zip
Length Date Time Name
--------- ---------- ----- ----
10905 2010-08-01 16:52 WEB-INF/classes/com/atlassian/jira/security/login/LoginManagerImpl.class
44 2010-08-02 16:55 WEB-INF/classes/patches/JRA-21876.readme
--------- -------
10949 2 files
See also http://jira.atlassian.com/browse/CWD-1972
The Problem Description
The problem is that we have an optimisation in the JIRA code that denies and authentication attempt if there is no user known to the system
LoginInfo loginInfo = getLoginInfo(userName); if (loginInfo == null) { return false; }
We need to change this to handle this user case where users are lazily added on first authentication attempt.
LoginInfo loginInfo = getLoginInfo(userName); if (loginInfo == null) { return true; }
Its a very simple fix in practice. I have spoke to Spuddy and he is kosher that there are no extra security implications.
- causes
-
CWD-1972 User authentication fails for new users when using delegated authentication directory with auto-add-to-directory enabled
- Closed