DefaultGadgetSpecFactory performs anonymous requests

XMLWordPrintable

    • 6.04
    • 3
    • Severity 3 - Minor
    • 0

      Summary

      DefaultGadgetSpecFactory::fetchObjectAndCache does not use current logged in user credentials or request cookie so it fails behind a proxy with basic auth

      Environment

      Basic Auth proxy

      apache site enabled

      # JIRA AJP Proxy Configuration:
<VirtualHost *:80>
ServerName jsimon.atlassian.local

<Proxy *>
        Order deny,allow
        Allow from all
</Proxy>
CustomLog ${APACHE_LOG_DIR}/access.log combined
LogLevel                debug
ProxyRequests           Off
ProxyPass               /jira       ajp://localhost:8010/jira
ProxyPassReverse        /jira       ajp://localhost:8010/jira

<Location /jira>
        AuthType Basic
        AuthName "Jira Basic Auth"
        AuthUserFile /etc/apache2/users/jira
        Require valid-user
</Location>
</VirtualHost>

      JIRA servers.xml

      <Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">

      <Connector port="8010"
                   maxThreads="150"
                   minSpareThreads="25"
                   enableLookups="false"
                   protocol="AJP/1.3"
                   address="127.0.0.1" />

      Steps to Reproduce

      From JIRA

      Click Add new gadgets button on a Dashboard

      Manually

      Enter http://localhost:8090/jira/rest/config/1.0/directoryitems/local.json on the browser

      The list of gadgets will be smaller than expected.

      Analysis:

      The effect is that less gadgets are retrieved this way than without the proxy. This is partially solved by APDEX-198.

      When LocalGadgetSpecFactory::getGadgetSpec fails to retrieve a gadget if falls back in DefaultLocalGadgetSpecFactory:

      private GadgetSpec fetchObjectAndCache(Uri url, boolean ignoreCache) throws GadgetException {
    HttpRequest request = new HttpRequest(url).setIgnoreCache(ignoreCache);
    request.setCacheTtl((int) (refresh / 1000));

    HttpResponse response = fetcher.fetch(request);
    ...

      The only header in this request is X-shinding-dos: on, request results on a Gateway timeout (HTTP error 504). Apache error logs show:

      [Fri May 15 17:51:47.063013 2015] [authz_core:debug] [pid 28554:tid 139774182508288] mod_authz_core.c(802): [client 10.0.2.2:56556] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)

            Assignee:
            Unassigned
            Reporter:
            Zul NS [Atlassian] (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: