Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-63795

The JIRA Base URL Healthcheck can fail in certain SSO/SAML scenarios despite the gadgets URL working correctly

    XMLWordPrintable

Details

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Problem Definition

      The Base URL Health Check in JIRA makes an HTTP request to the base URL. However, in some scenarios, the request will get caught in a circular reference to itself due to redirects in the SSO and SAML configuration.

      The following appears in atlassian-jira.log:

      2017-01-02 14:15:57,020 SupportHealthCheckThread-4 ERROR ServiceRunner     [c.a.j.p.healthcheck.support.BaseUrlHealthCheck] An error occurred when performing the Base URL healthcheck: 
org.apache.http.client.ClientProtocolException
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
	at com.atlassian.jira.plugins.healthcheck.support.BaseUrlHealthCheck.doCheck(BaseUrlHealthCheck.java:52)
	at com.atlassian.jira.plugins.healthcheck.support.AbstractSupportHealthCheck.check(AbstractSupportHealthCheck.java:27)
	at com.atlassian.support.healthcheck.impl.PluginSuppliedSupportHealthCheck.check(PluginSuppliedSupportHealthCheck.java:41)
	at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:32)
	at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:15)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.http.client.CircularRedirectException: Circular redirect to 'base-url/jira'
	at org.apache.http.impl.client.DefaultRedirectStrategy.getLocationURI(DefaultRedirectStrategy.java:176)
	at org.apache.http.impl.client.DefaultRedirectStrategy.getRedirect(DefaultRedirectStrategy.java:220)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:121)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
	... 12 more
      Environment:
      Diagnosis

      Performing a cURL to the base URL shows a redirect loop (extraneous headers stripped for clarity):

      % curl -I -L https://base-url/jira

HTTP/1.1 302 Found
Date: Mon, 09 Jan 2017 08:52:28 GMT
Server: Apache
Location: https://base-url/saml

HTTP/1.1 302 Moved Temporarily
Cache-Control: private
Date: Mon, 09 Jan 2017 08:52:28 GMT
Location: https://base-url/jira

HTTP/1.1 302 Found
Date: Mon, 09 Jan 2017 08:52:28 GMT
Server: Apache
Location: https://base-url/saml

HTTP/1.1 302 Moved Temporarily
Cache-Control: private
Date: Mon, 09 Jan 2017 08:52:28 GMT
Location: https://base-url/jira

HTTP/1.1 302 Found
Date: Mon, 09 Jan 2017 08:52:28 GMT
Server: Apache
Location: https://base-url/saml

HTTP/1.1 302 Moved Temporarily
Cache-Control: private
Date: Mon, 09 Jan 2017 08:52:28 GMT
Location: https://base-url/jira

      In the scenario this issue is derived from, the customer had whitelisted calls to the REST API to not go through the SAML/SSO configuration. This means that while gadgets worked correctly, the Health Check failed due to the circular reference.

      Suggested Solution

      Update the check to query the gadget spec URL instead of the base URL, and rename it appropriately.

      Alternatively for customers who are not able to make the modifications to exclude all requests from JIRA, it'd be great to either allow or just test an extra URL, either in addition to or instead of the current URL for testing which is the base URL.

      Being able to detect circular redirects or too many redirects would also be a really good improvement to this health check.

      Workaround

      For customers who do not wish to see or be alerted by the failing health check, you can take the following steps:

      1. Go to Manage Add-ons
      2. Select All add-ons and search for "Instance Health Plugin"
      3. Expand the plugin and then expand the modules
      4. Disable jira.healthcheck.baseurl.name

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-63759 BaseUrlHealthCheck will fail when system configuration goes through more than 3 redirects

          • Low - Low priority issues
          • Closed
          relates to

          Suggestion - JRACLOUD-63795 The JIRA Base URL Healthcheck can fail in certain SSO/SAML scenarios despite the gadgets URL working correctly

          • Closed

          ATST-811 Loading...

          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              dnorton@atlassian.com Dave Norton
              Votes:
              17 Vote for this issue
              Watchers:
              24 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: