-
Type:
Bug
-
Resolution: Won't Fix
-
Priority:
Low
-
None
-
Affects Version/s: 9.12.13
-
9.12
-
7
-
Severity 3 - Minor
-
1
-
Issue Summary
When using the SSO for Atlassian Data Center 4.2.31 plugin, if basic authentication is disabled by unchecking the Show default login form checkbox, REST API calls that require an identical session will fail as the cookies are changed between each request.
One example of this is are the REST API calls for setting an avatar for a user. This issue occurs even when the Allow basic authentication on API calls checkbox is enabled.
Steps to Reproduce
1.) Navigate to Administration > System > Authentication methods page.
2.) Edit the Username and password option.
3.) Uncheck Show default login form.
4.) Update a user avatar using these commands:
curl -c cookiejar.txt -X POST -u admin:admin -H "X-Atlassian-Token: no-check" \ -H "Content-Type: image/png" --data-binary @mynewavatar.png \ 'http://localhost:8090/jira/rest/api/2/user/avatar/temporary?username=admin&filename=mynewavatar.png' curl -b cookiejar.txt -X POST -u admin:admin -H "X-Atlassian-Token: no-check" \ -H "Content-Type: application/json" --data '{"cropperWidth": "65","cropperOffsetX": "10","cropperOffsetY": "16"}' \ -o tmpid.json \ http://localhost:8090/jira/rest/api/2/user/avatar?username=admin curl -b cookiejar.txt -X PUT -u admin:admin -H "X-Atlassian-Token: no-check" \ -H "Content-Type: application/json" --data-binary @tmpid.json \ http://localhost:8090/jira/rest/api/2/user/avatar?username=admin
Expected Results
It's expected for REST API commands that require an identical session to run successfully when the Allow basic authentication on API calls option is enabled
Actual Results
The curl commands after the first one will return the following error:
{'errorMessages': ['Uploading the avatar has failed. Please check that you are logged in and have sufficient permissions.'],'errors': {}}
An exception will be raised in the atlassian-jira.log file:
2024-12-19 13:36:55,752-0500 http-nio-8080-exec-4 ERROR admin 123x45678x1 abc1234 1.2.3.4,10.0.0.1 /rest/api/2/user/avatar [c.a.j.rest.exception.ExceptionInterceptor] Returning internal server error in response java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.atlassian.plugins.rest.common.interceptor.impl.DispatchProviderHelper$ResponseOutInvoker.lambda$_dispatch$0(DispatchProviderHelper.java:181) ... 4 filtered at com.atlassian.jira.rest.exception.ExceptionInterceptor.intercept(ExceptionInterceptor.java:55) ... 1 filtered at com.atlassian.jira.rest.v2.issue.scope.RequestScopeInterceptor.intercept(RequestScopeInterceptor.java:39) ... 15 filtered at com.atlassian.plugins.rest.module.RestDelegatingServletFilter$JerseyOsgiServletContainer.doFilter(RestDelegatingServletFilter.java:171) ... 1 filtered at com.atlassian.plugins.rest.module.RestDelegatingServletFilter.doFilter(RestDelegatingServletFilter.java:75) ... 36 filtered at com.atlassian.jira.plugin.mobile.web.filter.MobileAppRequestFilter.doFilter(MobileAppRequestFilter.java:59) ... 4 filtered at com.atlassian.jira.plugin.mobile.login.MobileLoginSuccessFilter.doFilter(MobileLoginSuccessFilter.java:54) ... 3 filtered at com.atlassian.diagnostics.internal.platform.monitor.http.HttpRequestMonitoringFilter.doFilter(HttpRequestMonitoringFilter.java:54) ... 8 filtered at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21) ... 43 filtered at com.atlassian.oauth2.scopes.web.ReadWriteScopeFilter.doFilter(ReadWriteScopeFilter.java:46) ... 3 filtered at com.atlassian.ratelimiting.internal.filter.RateLimitFilter.doFilter(RateLimitFilter.java:73) ... 3 filtered at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46) ... 17 filtered at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:66) ... 1 filtered at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:64) ... 16 filtered at com.atlassian.plugins.rest.module.servlet.RestSeraphFilter.doFilter(RestSeraphFilter.java:38) ... 3 filtered at com.atlassian.pats.web.filter.TokenBasedAuthenticationFilter.doFilter(TokenBasedAuthenticationFilter.java:82) ... 3 filtered at com.atlassian.oauth2.provider.core.web.AccessTokenFilter.doFilter(AccessTokenFilter.java:82) ... 19 filtered at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30) ... 5 filtered at com.atlassian.plugins.authentication.impl.web.filter.loginform.DisableNativeLoginAuthFilter.doFilterInternal(DisableNativeLoginAuthFilter.java:53) at com.atlassian.plugins.authentication.impl.web.filter.AbstractJohnsonAwareFilter.doFilter(AbstractJohnsonAwareFilter.java:29) ... 3 filtered at com.atlassian.plugins.authentication.impl.basicauth.filter.DisableBasicAuthFilter.doFilter(DisableBasicAuthFilter.java:74) ... 8 filtered at com.atlassian.ratelimiting.internal.filter.RateLimitPreAuthFilter.doFilter(RateLimitPreAuthFilter.java:71) ... 3 filtered at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21) ... 4 filtered at com.atlassian.troubleshooting.thready.filter.AbstractThreadNamingFilter.doFilter(AbstractThreadNamingFilter.java:46) ... 3 filtered at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36) ... 26 filtered at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25) ... 25 filtered at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: com.atlassian.jira.rest.v2.issue.RESTException(Internal Server Error) at com.atlassian.jira.rest.v2.issue.AvatarResourceHelper.throwWebException(AvatarResourceHelper.java:445) at com.atlassian.jira.rest.v2.issue.AvatarResourceHelper.createAvatarFromTemporary(AvatarResourceHelper.java:217) at com.atlassian.jira.rest.v2.issue.UserResource.createAvatarFromTemporary(UserResource.java:1083) ... 291 more
Setting the following package to DEBUG under the Logging and profiling page will return an error in the atlassian-jira.log file that shows the session is invalidated:
- com.atlassian.plugins.authentication.impl.basicauth.filter.DisableBasicAuthFilter
Session for Basic Authentication will be invalidated because login form is disabled and Invalidating session {} for HTTP request: {}
Workaround
To workaround this, disable this setting by setting the following system property:
com.atlassian.plugins.authentication.basic.auth.filter.invalidate.session
You can do this by setting it as a JVM arguments under the setenv.sh file. For example:
JVM_SUPPORT_RECOMMENDED_ARGS="-Dcom.atlassian.plugins.authentication.basic.auth.filter.invalidate.session=false"
This workaround is considered insecure as it reverts a feature added in SSO for Atlassian Data Center 4.2.31 plugin. This feature was added to prevent obtaining a persistent session using basic authentication, bypassing additional security methods enforced by the identity provider or by 2SV.
- mentioned in
-
Page Loading...