-
Bug
-
Resolution: Unresolved
-
High
-
None
-
9.2.6, 8.5.24
-
None
-
Severity 2 - Major
-
Summary
Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on CONFSERVER-81515 and Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.
Version info
- Confluence 9.2.6 LTS
Description
Issue Summary
Users can't authenticate if there is any deleted group with administrative rights at Global Permissions.
Steps to Reproduce
- Deploy a Confluence 9.2.6.
- Configure SSO/SAML integration in Confluence (optional).
- Configure an external directory in Confluence and synchronize groups.
- Add such groups to Confluence's Global Permission and grant them admin permissions.
- Remove the external directory from Confluence.
- Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a Not found message below them.
- Try to authenticate with a user that is not a member of the confluence-administrator group.
Expected Results
Users not in an administrative group should be able to authenticate.
Actual Results
Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files.
2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception 2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only... 2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de
That's associated with the following situation on Global Permissions:
Workaround
Workaround 1: Remove all admin permissions for all 'not found' groups.
Workaround 2: Use the web UI to remove the 'not found' group records from the Global Permissions menu.
Workaround 3: Delete the faulty groups from the database:
- Stop your instance.
- Make a full database backup,
- On the database, run the following query to get the records for the deleted group:
SELECT * FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group);
- Delete these records after verification:
DELETE FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group);
- Start your instance and check if the users can authenticate.
- relates to
-
CONFSERVER-81515 Delete Group Permissions( for the groups deleted from external user directory) from Global/Space Permission pages
- Gathering Interest
Description |
Original:
h2. Summary
Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/] h2. Version info * Confluence 9.2.6 LTS h2. Description h3. Issue Summary Users can't authenticate if there is any deleted group with administrative rights at Global Permissions. h3. Steps to Reproduce # {color:#172b4d}Deploy a Confluence 9.2.6.{color} # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color} # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color} # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color} # {color:#172b4d}Remove the external directory from Confluence.{color} # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color} # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color} h3. Expected Results Users not in an administrative group should be able to authenticate. h3. Actual Results Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files. {code:java} 2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception 2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only... 2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code} That's associated with the following situation on Global Permissions: !image-2025-07-17-17-04-17-703.png|width=988,height=274! h3. Workaround *Workaround 1:* Remove all admin permissions for all 'not found' groups. *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu. *Workaround 3:* Delete the faulty groups from the database: # Stop your instance. # Make a full database backup, # On the database, run the following query to get the records for the deleted group: {code:sql} SELECT * FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group); {code} # Delete these records after verification: {code:sql} DELETE FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group);{code} # Start your instance and check if the users can authenticate. |
New:
h2. Summary
Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/] h2. Version info * Confluence 9.2.6 LTS h2. Description h3. Issue Summary Users can't authenticate if there is any deleted group with administrative rights at Global Permissions. h3. Steps to Reproduce # {color:#172b4d}Deploy a Confluence 9.2.6.{color} # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color} # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color} # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color} # {color:#172b4d}Remove the external directory from Confluence.{color} # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color} # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color} h3. Expected Results Users not in an administrative group should be able to authenticate. h3. Actual Results Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files. {code:java} 2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception 2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only... 2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code} That's associated with the following situation on Global Permissions: !image-2025-07-17-17-04-17-703.png|width=988,height=274! h3. Workaround *Workaround 1:* Remove all admin permissions for all 'not found' groups. *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu. *Workaround 3:* Delete the faulty groups from the database: # Stop your instance. # Make a full database backup, # On the database, run the following query to get the records for the deleted group: {code:sql} SELECT * FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group); {code} # Delete these records after verification: {code:sql} DELETE FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group);{code} # Start your instance and check if the users can authenticate. |
Link | New: This issue relates to CONFSERVER-81515 [ CONFSERVER-81515 ] |
Affects Version/s | Original: 8.5.21 [ 112195 ] | |
Affects Version/s | New: 8.5.24 [ 113025 ] |
Affects Version/s | New: 8.5.21 [ 112195 ] |
Description |
Original:
h2. Summary
Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/] h2. Version info * Confluence 9.2.6 LTS h2. Description h3. Issue Summary Users can't authenticate if there is any deleted group with administrative rights at Global Permissions. h3. Steps to Reproduce # {color:#172b4d}Deploy a Confluence 9.2.6.{color} # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color} # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color} # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color} # {color:#172b4d}Remove the external directory from Confluence.{color} # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color} # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color} h3. Expected Results Users not in an administrative group should be able to authenticate. h3. Actual Results Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files. {code:java} 2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception 2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only... 2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code} That's associated with the following situation on Global Permissions: !image-2025-07-17-15-39-27-446.png|width=624,height=173! h3. Workaround *Workaround 1:* Remove all admin permissions for all 'not found' groups. *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu. *Workaround 3:* Delete the faulty groups from the database: # Stop your instance. # Make a full database backup, # On the database, run the following query to get the records for the deleted group: {code:sql} SELECT * FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group); {code} # Delete these records after verification: {code:sql} DELETE FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group);{code} # Start your instance and check if the users can authenticate. |
New:
h2. Summary
Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/] h2. Version info * Confluence 9.2.6 LTS h2. Description h3. Issue Summary Users can't authenticate if there is any deleted group with administrative rights at Global Permissions. h3. Steps to Reproduce # {color:#172b4d}Deploy a Confluence 9.2.6.{color} # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color} # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color} # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color} # {color:#172b4d}Remove the external directory from Confluence.{color} # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color} # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color} h3. Expected Results Users not in an administrative group should be able to authenticate. h3. Actual Results Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files. {code:java} 2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception 2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only... 2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code} That's associated with the following situation on Global Permissions: !image-2025-07-17-17-04-17-703.png|width=988,height=274! h3. Workaround *Workaround 1:* Remove all admin permissions for all 'not found' groups. *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu. *Workaround 3:* Delete the faulty groups from the database: # Stop your instance. # Make a full database backup, # On the database, run the following query to get the records for the deleted group: {code:sql} SELECT * FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group); {code} # Delete these records after verification: {code:sql} DELETE FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group);{code} # Start your instance and check if the users can authenticate. |
Attachment | New: image-2025-07-17-17-04-17-703.png [ 506196 ] |
Description |
Original:
h2. Summary
Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/] h2. Version info * Confluence 9.2.6 LTS h2. Description h3. Issue Summary Users can't authenticate if there is any deleted group with administrative rights at Global Permissions. h3. Steps to Reproduce # {color:#172b4d}Deploy a Confluence 9.2.6.{color} # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color} # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color} # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color} # {color:#172b4d}Remove the external directory from Confluence.{color} # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color} # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color} h3. Expected Results Users not in an administrative group should be able to authenticate. h3. Actual Results Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files. {code:java} 2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception 2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only... 2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code} That's associated with the following situation on Global Permissions: !image-2025-07-17-15-39-27-446.png|width=624,height=173! h3. Workaround *Workaround 1:* Remove all admin permissions for all 'not found' groups. *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu. *Workaround 3:* Delete the faulty groups from the database: # Stop your instance. # Make a full database backup, # On the database, run the following query to get the records for the deleted group: {code:sql} SELECT * FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group); {code} # Delete these records after verification: {code:sql} DELETE FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group);{code} # Start your instance and check if the users can authenticate. |
New:
h2. Summary
Authentication fails for users who are not part of an admin group if there is a group with Confluence Administrator and/or System Administrator Global Permissions that no longer exists in the instance (scenario described on [CONFSERVER-81515|https://jira.atlassian.com/browse/CONFSERVER-81515] and [Deleted Groups shown as "Group not found" in Global Permissions and Space Permissions.|https://support.atlassian.com/confluence/kb/deleted-groups-shown-as-group-not-found-in-global-permissions-and-space-permissions/] h2. Version info * Confluence 9.2.6 LTS h2. Description h3. Issue Summary Users can't authenticate if there is any deleted group with administrative rights at Global Permissions. h3. Steps to Reproduce # {color:#172b4d}Deploy a Confluence 9.2.6.{color} # {color:#172b4d}Configure SSO/SAML integration in Confluence (optional).{color} # {color:#172b4d}Configure an external directory in Confluence and synchronize groups.{color} # {color:#172b4d}Add such groups to Confluence's Global Permission and grant them admin permissions.{color} # {color:#172b4d}Remove the external directory from Confluence.{color} # {color:#172b4d}Reindex the instance and confirm that these groups will still be listed in the Global Permission menu with a _Not found_ message below them.{color} # {color:#172b4d}Try to authenticate with a user that is not a member of the _confluence-administrator_ group.{color} h3. Expected Results Users not in an administrative group should be able to authenticate. h3. Actual Results Users not in an administrative group are unable to authenticate. During user authorization, the following errors show up in the log files. {code:java} 2025-07-15 14:33:56,816 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,817 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[com.atlassian.confluence.security.DefaultPermissionManager.isSystemAdministrator]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT,readOnly (Session #428955982) -- url: /synchrony/heartbeat | referer: https://example.org/spaces/SSO/pages/162594822/Any+page | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,819 ERROR [http-nio-8090-exec-3] [[Standalone].[localhost].[/].[default]] log Servlet.service() for servlet [default] in context with path [] threw exception 2025-07-15 14:33:56,844 INFO [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog \nRequest Unique ID : f47a9370-66fc-466c-b576-174f7fd899db\n--------------------------\nJVM Stats\n--------------------------\nxmx = 1073741824\nusedNonHeap = 553765912\navailableHeap = 191931960\navailableNonHeap = -1\nallocatedHeap = 1073741824\nfreeAllocatedHeap = 191931960\nmaxNonHeap = -1\navailablePermGen = 0\nmaxPermGen = -1\nmaxHeap = 1073741824\nusedHeap = 881809864\nusedPermGen = -1\nxms = 1073741824\n--------------------------\nRequest Information\n--------------------------\nURL: https://example.org/500page.jsp\nScheme: https\nServer: example.org\nPort: 443\nURI: /500page.jsp\nContext Path: \nServlet Path: /500page.jsp\nPath Info: null\nQuery String: _=1752604434491\n--------------------------\nAttributes\n--------------------------\njavax.servlet.forward.request_uri: /synchrony/heartbeat\njavax.servlet.forward.context_path: \njavax.servlet.forward.servlet_path: /synchrony/heartbeat\njavax.servlet.forward.query_string: _=1752604434491\njavax.servlet.forward.mapping: org.apache.catalina.core.ApplicationMapping$MappingImpl@5f718c27\norg.apache.catalina.AccessLog.RemoteAddr: 10.120.10.1\n__prepare_recursion_counter: 1\njavax.servlet.error.status_code: 500\nstruts.actionMapping: noActionMapping\nbrave.SpanCustomizer: SpanCustomizer(RealSpan(b7fcde203d7c60de/b7fcde203d7c60de))\norg.apache.struts2.dispatcher.filter.StrutsPrepareFilter.REQUEST_EXCLUDED_FROM_ACTION_MAPPING: false\ncom.opensymphony.sitemesh.APPLIED_ONCE: true\n__wrap_recursion_counter: 1\ncom.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true\natlassian.core.seraph.original.url: /500page.jsp?_=1752604434491\norg.apache.catalina.AccessLog.Protocol: HTTP/1.0\ncom.atlassian.gzipfilter.GzipFilter_already_filtered: true\n3af_annotated_permitted_checker: com.atlassian.confluence.impl.security.access.NoCheckAnnotatedPermitChecker@7927cfb2\ncom.atlassian.seraph.auth.LoginReason: OK\nsitemesh.secondaryStorageLimit: -1\norg.apache.catalina.AccessLog.ServerPort: 443\njavax.servlet.error.message: \njavax.servlet.error.servlet_name: default\norg.apache.tomcat.request.forwarded: true\nbrave.propagation.TraceContext: b7fcde203d7c60de/b7fcde203d7c60de\nbrave.servlet.TracingFilter$SendHandled: true\norg.apache.tomcat.remoteAddr: 10.120.10.1\nconfluence.secure.access.original.url: /synchrony/heartbeat?_=1752604434491\norg.apache.catalina.AccessLog.ServerName: example.org\nB3-TraceId: 3be2ae44984994\nloginfilter.already.filtered: true\njavax.servlet.error.request_uri: /synchrony/heartbeat\ncom.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true\norg.apache.catalina.AccessLog.RemoteHost: 10.120.10.1\njavax.servlet.error.exception: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nos_securityfilter_already_filtered: true\ncom.atlassian.confluence.impl.sitemesh.DecoratorTimings: com.atlassian.confluence.impl.sitemesh.DecoratorTimings@57ad0745\ncom.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true\n--------------------------\nParameters\n--------------------------\n_ : 1752604434491\ncaused by: org.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only\nat org.springframework.transaction.support.AbstractPlatformTransactionManager.processRollback(AbstractPlatformTransactionManager.java:938)\n | traceId: b7fcde203d7c60de 2025-07-15 14:33:56,845 ERROR [http-nio-8090-exec-3] [atlassian.confluence.status.SystemErrorInformationLogger] logException Unhandled exception, request unique ID: f47a9370-66fc-466c-b576-174f7fd899db -- traceId: b7fcde203d7c60deorg.springframework.transaction.UnexpectedRollbackException: Transaction rolled back because it has been marked as rollback-only... 2025-07-15 14:33:56,856 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,878 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,880 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,883 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,900 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,903 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,907 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,913 ERROR [http-nio-8090-exec-3] [confluence.impl.security.AbstractSpacePermissionManager] checkPermissionNoExemptions Error checking permission (). Denying access. -- traceId: b7fcde203d7c60dejava.lang.NullPointerException: Cannot invoke "com.atlassian.crowd.embedded.api.Group.getName()" because "group" is null ... 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:\n ->[null]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #436763889) -- traceId: b7fcde203d7c60de 2025-07-15 14:33:56,983 WARN [http-nio-8090-exec-3] [confluence.impl.sitemesh.ConfluenceSitemeshDecorator] render TransactionException prevented transaction from committing whilst rendering the decorator, the cause is likely a previously logged exception: Transaction rolled back because it has been marked as rollback-only\nCause: -- traceId: b7fcde203d7c60de {code} That's associated with the following situation on Global Permissions: !image-2025-07-17-15-39-27-446.png|width=624,height=173! h3. Workaround *Workaround 1:* Remove all admin permissions for all 'not found' groups. *Workaround 2:* Use the web UI to remove the 'not found' group records from the Global Permissions menu. *Workaround 3:* Delete the faulty groups from the database: # Stop your instance. # Make a full database backup, # On the database, run the following query to get the records for the deleted group: {code:sql} SELECT * FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group); {code} # Delete these records after verification: {code:sql} DELETE FROM spacepermissions WHERE permgroupname not in (Select group_name from cwd_group);{code} # Start your instance and check if the users can authenticate. |