• Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • REST API
    • None
    • 0
    • 2
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      The user name does not appear in Tomcat "access logs" when the rate limit functionality is enabled and HTTP status code 429 is returned (i.e., the user has been rate limited).

      • Default "server.xml" access logs configuration:
                    <Valve className="org.apache.catalina.valves.AccessLogValve"
                            pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
        
      • How the rate-limited entries appear in the "access logs" file:
        10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
        10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
        

      How to Replicate

      1. Create a new sample project.
      2. Enable rate limit.
      3. Access one Rest endpoint until you hit a limit.
        • e.g.
          curl -u <user:password> -X GET "<BASEA_URL>/rest/api/2/issue/SCRUM1-1"
          <!doctype html><html lang="en"><head><title>HTTP Status 429 – Too Many Requests</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 429 – Too Many Requests</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Rate limit exceeded.</p><p><b>Description</b> The user has sent too many requests in a given amount of time ("rate limiting").</p><hr class="line" /><h3>Apache Tomcat/8.5.78</h3></body></html>
          
      1. Verify Tomcat access logs (notice the user missing):
        10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
        10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
        

      Suggested Solution

      The Rate Limiter determines the specific user by the UserKey decoded from the HTTP request, so two suggestions are proposed when HTTP 429 happens:

      1. Have the username shown in "access logs".
      2. Add an entry on "atlassian-jira-security".

      Workaround

      Enabling DEBUG for package "com.atlassian.ratelimiting.internal.requesthandler.logging" you can get the user blocked.

      This is what it looks like in "atlassian-jira.log":

      2022-09-23T07:43:31.791743500Z 2022-09-23 07:43:31,790+0000 http-nio-8080-exec-3 DEBUG anonymous 463x873x1 - 172.29.0.1 /rest/cb-automation/latest/configuration/property [c.a.r.i.requesthandler.logging.RateLimitedRequestLogger] User [JIRAUSER10000] has been rate limited for URL [http://jira82010:8080/jira/rest/cb-automation/latest/configuration/property], pre-auth
      

      "JIRAUSER10000" is the user key, mapped the user name in table "app_user".

            [JSWSERVER-21512] Show the user name limited in access logs (HTTP 429)

            SET Analytics Bot made changes -
            Support reference count New: 2
            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            SET Analytics Bot made changes -
            UIS Original: 0 New: 1
            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            SET Analytics Bot made changes -
            UIS New: 1
            Adrian Stephen made changes -
            Remote Link Original: This issue links to "Page (Confluence)" [ 777054 ]
            Adrian Stephen made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 777054 ]
            Mateus Gomes made changes -
            Description Original: h3. Problem Definition

            The user name does not appear in Tomcat "access logs" when the rate limit functionality is enabled and HTTP status code 429 is returned (i.e., the user has been rate limited).
             * Default "server.xml" access logs configuration:
            {code:java}
                        <Valve className="org.apache.catalina.valves.AccessLogValve"
                                pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
            {code}

             * How the rate-limited entries appear in the "access logs" file:
            {code:java}
            10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
            10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
            {code}

            h3. How to Replicate
             # Create a new sample project.
             # Enable rate limit.
             # Access one Rest endpoint until you hit a limit.
             ** e.g.
            {code:java}
            curl -u <user:password> -X GET "<BASEA_URL>/rest/api/2/issue/SCRUM1-1"{code}
            {code:java}
            <!doctype html><html lang="en"><head><title>HTTP Status 429 – Too Many Requests</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 429 – Too Many Requests</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Rate limit exceeded.</p><p><b>Description</b> The user has sent too many requests in a given amount of time ("rate limiting").</p><hr class="line" /><h3>Apache Tomcat/8.5.78</h3></body></html>
            {code}

             # Verify Tomcat access logs (notice the user missing):
            {code:java}
            10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
            10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
            {code}

            h3. Suggested Solution

            The Rate Limiter determines the specific user by the UserKey decoded from the HTTP request, which doesn't require the authentication process to be completed.

            Two suggestions are proposed when HTTP 429 happens:
             # Have the username shown in "access logs".
             # Add an entry on "atlassian-jira-security".

            h3. Workaround

            Enabling DEBUG for package "com.atlassian.ratelimiting.internal.requesthandler.logging" you can get the user blocked.

            This is what it looks like in "atlassian-jira.log":
            {code:java}
            2022-09-23T07:43:31.791743500Z 2022-09-23 07:43:31,790+0000 http-nio-8080-exec-3 DEBUG anonymous 463x873x1 - 172.29.0.1 /rest/cb-automation/latest/configuration/property [c.a.r.i.requesthandler.logging.RateLimitedRequestLogger] User [JIRAUSER10000] has been rate limited for URL [http://jira82010:8080/jira/rest/cb-automation/latest/configuration/property], pre-auth
            {code}
            "JIRAUSER10000" is the user key, mapped the user name in table "app_user".
            New: h3. Problem Definition

            The user name does not appear in Tomcat "access logs" when the rate limit functionality is enabled and HTTP status code 429 is returned (i.e., the user has been rate limited).
             * Default "server.xml" access logs configuration:
            {code:java}
                        <Valve className="org.apache.catalina.valves.AccessLogValve"
                                pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
            {code}

             * How the rate-limited entries appear in the "access logs" file:
            {code:java}
            10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
            10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
            {code}

            h3. How to Replicate
             # Create a new sample project.
             # Enable rate limit.
             # Access one Rest endpoint until you hit a limit.
             ** e.g.
            {code:java}
            curl -u <user:password> -X GET "<BASEA_URL>/rest/api/2/issue/SCRUM1-1"{code}
            {code:java}
            <!doctype html><html lang="en"><head><title>HTTP Status 429 – Too Many Requests</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 429 – Too Many Requests</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Rate limit exceeded.</p><p><b>Description</b> The user has sent too many requests in a given amount of time ("rate limiting").</p><hr class="line" /><h3>Apache Tomcat/8.5.78</h3></body></html>
            {code}

             # Verify Tomcat access logs (notice the user missing):
            {code:java}
            10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
            10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
            {code}

            h3. Suggested Solution

            The Rate Limiter determines the specific user by the UserKey decoded from the HTTP request, so two suggestions are proposed when HTTP 429 happens:
             # Have the username shown in "access logs".
             # Add an entry on "atlassian-jira-security".

            h3. Workaround

            Enabling DEBUG for package "com.atlassian.ratelimiting.internal.requesthandler.logging" you can get the user blocked.

            This is what it looks like in "atlassian-jira.log":
            {code:java}
            2022-09-23T07:43:31.791743500Z 2022-09-23 07:43:31,790+0000 http-nio-8080-exec-3 DEBUG anonymous 463x873x1 - 172.29.0.1 /rest/cb-automation/latest/configuration/property [c.a.r.i.requesthandler.logging.RateLimitedRequestLogger] User [JIRAUSER10000] has been rate limited for URL [http://jira82010:8080/jira/rest/cb-automation/latest/configuration/property], pre-auth
            {code}
            "JIRAUSER10000" is the user key, mapped the user name in table "app_user".
            Mateus Gomes created issue -

              Unassigned Unassigned
              1edd59bb2c95 Mateus Gomes
              Votes:
              6 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: