-
Bug
-
Resolution: Unresolved
-
Low (View bug fix roadmap)
-
None
-
10.0.0, 10.3.2, 10.4.0
-
10
-
Severity 3 - Minor
-
Issue Summary
OAuth configuration in Jira Bitbucket DVCS Plugin fails due to XSRF Protections
This is reproducible on Data Center: (yes)
Steps to Reproduce
- Navigate to Jira Administration → Applications → DVCS Accounts.
- From within the DVCS Accounts page click the [...] on the right side of the desired git provider and then click the Reset OAuth Settings option in the drop down.
- You will be shown a screen with the current credential details. Here we will click edit and enter in our new key and Secret and then click Regenerate Access Token.
- Jira attempts to send a `POST` request to `/rest/bitbucket/1.0/org/
{id}
/oauth` to store OAuth credentials.
- The request fails with a 403 XSRF error, even when we try adding the header `X-Atlassian-Token: no-check`.
- After bypassing XSRF, the request fails with a 500 Internal Server Error due to `MessageBodyWriter not found for media type=application/xml`.
Expected Results
- OAuth credentials should be saved without XSRF blocking.
Actual Results
The request is blocked by XSRF protection, and after excluding XSRF, it fails due to XML serialization issues.
The below WARN is observed in `atlassian-jira.log`:
2025-01-29 08:33:49,515+0000 http-nio-8080-exec-14 url: /jira/rest/bitbucket/1.0/org/1/oauth; user: admin WARN admin 513x328x1 9szvo3 10.228.166.17,172.50.0.2 /rest/bitbucket/1.0/org/1/oauth [o.g.jersey.servlet.WebComponent] A servlet request to the URI https://linux-90985.prod.atl-cd.net/jira/rest/bitbucket/1.0/org/1/oauth contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected. 2025-01-29 08:33:49,516+0000 http-nio-8080-exec-14 url: /jira/rest/bitbucket/1.0/org/1/oauth; user: admin WARN admin 513x328x1 9szvo3 10.228.166.17,172.50.0.2 /rest/bitbucket/1.0/org/1/oauth [c.a.p.r.v.security.xsrf.XsrfResourceFilter] XSRF checks failed for request: https://linux-90985.prod.atl-cd.net/jira/rest/bitbucket/1.0/org/1/oauth , origin: https://linux-90985.prod.atl-cd.net , referrer: https://linux-90985.prod.atl-cd.net/jira/secure/admin/ConfigureDvcsOrganizations.jspa
If you add no-check header to try to work around XSRF checks the following error will be observed when attempting to update the tokens:
2025-01-29 10:13:36,668+0000 http-nio-8080-exec-2 url: /jira/rest/bitbucket/1.0/org/1/oauth; user: admin ERROR admin 613x41x1 1ivopqr 10.228.166.17,172.50.0.2 /rest/bitbucket/1.0/org/1/oauth [o.g.j.message.internal.WriterInterceptorExecutor] MessageBodyWriter not found for media type=application/xml, type=class com.atlassian.jira.plugins.dvcs.model.Organization, genericType=class com.atlassian.jira.plugins.dvcs.model.Organization. 2025-01-29 10:13:36,670+0000 http-nio-8080-exec-2 url: /jira/rest/bitbucket/1.0/org/1/oauth; user: admin ERROR admin 613x41x1 1ivopqr 10.228.166.17,172.50.0.2 /rest/bitbucket/1.0/org/1/oauth [c.a.p.r.v2.exception.ThrowableExceptionMapper] Internal Server Error 695fb9cd-41b5-4ec1-ad3f-790b8d933278 in REST: 500: OutboundJaxrsResponse{status=500, reason=Internal Server Error, hasEntity=false, closed=false, buffered=false} javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:65)
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available.
- links to
