Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-63795

The JIRA Base URL Healthcheck can fail in certain SSO/SAML scenarios despite the gadgets URL working correctly

    XMLWordPrintable

    Details

    • Feedback Policy:
      We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Problem Definition

      The Base URL Health Check in JIRA makes an HTTP request to the base URL. However, in some scenarios, the request will get caught in a circular reference to itself due to redirects in the SSO and SAML configuration.

      The following appears in atlassian-jira.log:

      2017-01-02 14:15:57,020 SupportHealthCheckThread-4 ERROR ServiceRunner     [c.a.j.p.healthcheck.support.BaseUrlHealthCheck] An error occurred when performing the Base URL healthcheck: 
      org.apache.http.client.ClientProtocolException
      	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
      	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
      	at com.atlassian.jira.plugins.healthcheck.support.BaseUrlHealthCheck.doCheck(BaseUrlHealthCheck.java:52)
      	at com.atlassian.jira.plugins.healthcheck.support.AbstractSupportHealthCheck.check(AbstractSupportHealthCheck.java:27)
      	at com.atlassian.support.healthcheck.impl.PluginSuppliedSupportHealthCheck.check(PluginSuppliedSupportHealthCheck.java:41)
      	at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:32)
      	at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:15)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: org.apache.http.client.CircularRedirectException: Circular redirect to 'base-url/jira'
      	at org.apache.http.impl.client.DefaultRedirectStrategy.getLocationURI(DefaultRedirectStrategy.java:176)
      	at org.apache.http.impl.client.DefaultRedirectStrategy.getRedirect(DefaultRedirectStrategy.java:220)
      	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:121)
      	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
      	... 12 more
      
      Environment:
      Diagnosis

      Performing a cURL to the base URL shows a redirect loop (extraneous headers stripped for clarity):

      % curl -I -L https://base-url/jira
      
      HTTP/1.1 302 Found
      Date: Mon, 09 Jan 2017 08:52:28 GMT
      Server: Apache
      Location: https://base-url/saml
      
      HTTP/1.1 302 Moved Temporarily
      Cache-Control: private
      Date: Mon, 09 Jan 2017 08:52:28 GMT
      Location: https://base-url/jira
      
      HTTP/1.1 302 Found
      Date: Mon, 09 Jan 2017 08:52:28 GMT
      Server: Apache
      Location: https://base-url/saml
      
      HTTP/1.1 302 Moved Temporarily
      Cache-Control: private
      Date: Mon, 09 Jan 2017 08:52:28 GMT
      Location: https://base-url/jira
      
      HTTP/1.1 302 Found
      Date: Mon, 09 Jan 2017 08:52:28 GMT
      Server: Apache
      Location: https://base-url/saml
      
      HTTP/1.1 302 Moved Temporarily
      Cache-Control: private
      Date: Mon, 09 Jan 2017 08:52:28 GMT
      Location: https://base-url/jira
      

      In the scenario this issue is derived from, the customer had whitelisted calls to the REST API to not go through the SAML/SSO configuration. This means that while gadgets worked correctly, the Health Check failed due to the circular reference.

      Suggested Solution

      Update the check to query the gadget spec URL instead of the base URL, and rename it appropriately.

      Alternatively for customers who are not able to make the modifications to exclude all requests from JIRA, it'd be great to either allow or just test an extra URL, either in addition to or instead of the current URL for testing which is the base URL.

      Being able to detect circular redirects or too many redirects would also be a really good improvement to this health check.

      Workaround

      For customers who do not wish to see or be alerted by the failing health check, you can take the following steps:

      1. Go to Manage Add-ons
      2. Select All add-ons and search for "Instance Health Plugin"
      3. Expand the plugin and then expand the modules
      4. Disable jira.healthcheck.baseurl.name

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              dnorton@atlassian.com Dave Norton
              Votes:
              17 Vote for this issue
              Watchers:
              24 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: