Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-154

Login filter doesn't use a cluster-safe configuration

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • 4.2.28, 4.3.8
    • SSO
    • None

      Issue Summary

      SSO for Atlassian Data Center 4.3.6/4.2.27 added additional security validations. In some conditions, a Jira administrator may enable the enable-authentication-fallback parameter (per Bypass SAML authentication for Jira Data Center [Jira]) but still be unable to login.

      Steps to Reproduce

      1. Create a Data Center cluster (2+ nodes) with SSO for Atlassian Data Center 4.3.6+ or 4.2.27+.
      2. Login to Node 1 and configure an SSO provider (SAML/OIDC).
      3. Disable the default product login form (username and password).
      4. Logout of Node 1.
      5. Send a PATCH HTTP request to <node-2-hostname>/rest/authconfig/1.0/sso, setting the enable-authentication-fallback parameter to true.
      6. Attempt to login to Node 1 using <node-1-hostname>/login.jsp?auth_fallback.

      Expected Results

      The product default login page displays when using the "auth_fallback" parameter. An admin can successfully log in after submitting the form with valid credentials.

      Actual Results

      The product default login page displays when using the "auth_fallback" parameter. After submitting the form with valid credentials, the user is sent to <node-1-hostname>/login.jsp with the following unformatted response body:

      <warning>
	<message>
		Login form has been disabled on this instance.
	</message>
</warning>

       

      Logs

      When trace logs for SSO for Atlassian Data Center are enabled, the following relevant data is recorded in the application logs:

      On login form page load
      2024-05-06 00:00:00,000+0000 http-nio-8080-exec-1 TRACE anonymous 1x1x1 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.w.filter.authentication.AuthenticationFilter] Not attempting external authentication, native login is the only option
      On login form submission
      2024-05-06 00:00:10,000+0000 http-nio-8080-exec-2 TRACE anonymous 2x2x2 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.basicauth.filter.DisableBasicAuthFilter] Allowing HTTP request: /login.jsp
2024-05-06 00:00:10,000+0000 http-nio-8080-exec-2 TRACE anonymous 2x2x2 abcdef 0.0.0.0 /login.jsp [c.a.p.a.i.w.filter.loginform.DisableNativeLoginAuthFilter] Blocking HTTP request - Native Login is not allowed: /login.jsp

      Workaround

      After sending the PATCH REST API request, perform a rolling restart to flush the configuration cache.

        1. error-page.png
          error-page.png
          549 kB

            [SAMLDC-154] Login filter doesn't use a cluster-safe configuration

            Rostyslav Shurukhin (Inactive) made changes -
            Status Original: Short Term Backlog [ 12074 ] New: In Progress [ 3 ]
            Rostyslav Shurukhin (Inactive) made changes -
            Assignee New: Rostyslav Shurukhin [ e5b980069724 ]
            Benjamin S made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 924024 ]
            Benjamin S made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 921279 ]
            Benjamin S made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 917274 ]
            aanastasov made changes -
            Priority Original: High [ 2 ] New: Medium [ 3 ]
            aanastasov made changes -
            Remote Link Original: This issue links to "AAUTH-816 (Bulldog)" [ 904927 ] New: This issue links to "AAUTH-816 (JIRA Server (Bulldog))" [ 904927 ]
            aanastasov made changes -
            Development Effort New: M [ 13032 ]
            Priority Original: Medium [ 3 ] New: High [ 2 ]
            Status Original: Needs Triage [ 10030 ] New: Short Term Backlog [ 12074 ]
            aanastasov made changes -
            Remote Link New: This issue links to "AAUTH-816 (Bulldog)" [ 904927 ]
            Benjamin S made changes -
            Priority Original: Low [ 4 ] New: Medium [ 3 ]

              e5b980069724 Rostyslav Shurukhin (Inactive)
              1353e2e9fd2f Benjamin S
              Affected customers:
              2 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated: