search

chauth / confluence_http_authenticator

The new home of the Confluence HTTP Authenticator (formerly known as the Confluence Shibboleth Authenticator)
Other
64 stars 36 forks source link

Login failed with Confluence 5.x #4

Closed bananastalktome closed 11 years ago

bananastalktome commented 11 years ago

Using version 2.1.16 with Confluence 4.3.5 works fine, however when I tried upgrading to 5.0 (and also to 5.0.1) and attempt to log in in through Shibboleth I get an 'Oops - an error has occurred' page, and am not logged in. I get the following in the Confluence logs:

2013-03-04 11:14:12,113 ERROR [TP-Processor3] [EXAMPLE.COM].[/].[action]] log Servlet.service() for servlet action threw exception
java.lang.IllegalAccessError: tried to access method com.atlassian.confluence.event.events.security.SecurityEvent.<init>(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V from class shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator
    at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.loginSuccessful(RemoteUserAuthenticator.java:843)
    at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.getUser(RemoteUserAuthenticator.java:1027)
    at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:125)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.web.filter.ThreadLocalCacheFilter.doFilter(ThreadLocalCacheFilter.java:22)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98)
    at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:30)
    at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:150)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
    at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:55)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
    at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
    at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
    at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:37)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:72)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.orm.hibernate.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:170)
    at com.atlassian.spring.filter.FlushingSpringSessionInViewFilter.doFilterInternal(FlushingSpringSessionInViewFilter.java:29)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.util.ConfluenceErrorFilter.doFilter(ConfluenceErrorFilter.java:22)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:99)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.core.datetime.RequestTimeThreadLocalFilter.doFilter(RequestTimeThreadLocalFilter.java:35)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:80)
    at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.core.filters.cache.AbstractCachingFilter.doFilter(AbstractCachingFilter.java:33)
    at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
    at com.atlassian.plugin.remotable.plugin.module.oauth.OAuth2LOFilter.doFilter(OAuth2LOFilter.java:70)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
    at com.atlassian.plugin.remotable.host.common.service.http.bigpipe.BigPipeRequestIdFilter.doFilter(BigPipeRequestIdFilter.java:35)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
    at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
    at com.atlassian.confluence.extra.webdav.servlet.filter.ReverseProxyFilter.doFilter(ReverseProxyFilter.java:427)
    at com.atlassian.confluence.extra.webdav.servlet.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:34)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
    at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
    at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter.doFilter(RequestParamValidationFilter.java:58)
    at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.web.filter.TranslationModeFilter.doFilter(TranslationModeFilter.java:43)
    at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.plugin.servlet.filter.ActionContextCleanUp.doFilter(ActionContextCleanUp.java:71)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.web.filter.LanguageExtractionFilter.doFilter(LanguageExtractionFilter.java:54)
    at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.web.filter.DebugFilter.doFilter(DebugFilter.java:44)
    at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.core.filters.encoding.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:41)
    at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:44)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.atlassian.confluence.servlet.FourOhFourErrorLoggingFilter.doFilter(FourOhFourErrorLoggingFilter.java:65)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
    at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
    at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
    at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
    at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
    at java.lang.Thread.run(Thread.java:619)
2013-03-04 11:14:12,181 INFO [TP-Processor3] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog 
Request Unique ID : UID_WAS_HERE
--------------------------
JVM Stats
--------------------------
allocatedHeap = 1060372480
availablePermGen = 155743592
usedMemory = 235872752
totalMemory = 1060372480
freeMemory = 824499728
maxPermGen = 268435456
usedPermGen = 112691864
freeMemoryInMegabytes = 786
freeAllocatedHeap = 824499728
availableHeap = 824499728
usedMemoryInMegabytes = 224
maxHeap = 1060372480
usedHeap = 235872752
totalMemoryInMegabytes = 1011
--------------------------
Request Information
--------------------------
URL: https://EXAMPLE.COM/500page.jsp
Scheme: https
Server: EXAMPLE.COM
Port: 443
URI: /500page.jsp
Context Path: 
Servlet Path: /500page.jsp
Path Info: null
Query String: null
--------------------------
Attributes
--------------------------
javax.servlet.forward.request_uri: /dashboard.action
javax.servlet.forward.context_path: 
javax.servlet.forward.servlet_path: /dashboard.action
javax.servlet.forward.path_info: /500page.jsp
os_securityfilter_already_filtered: true
atlassian.core.seraph.original.url: /dashboard.action
javax.servlet.error.status_code: 500
javax.servlet.error.servlet_name: action
com.atlassian.gzipfilter.GzipFilter_already_filtered: true
loginfilter.already.filtered: true
Confluence-Request-Time: 1362413652032
com.atlassian.confluence.web.ConfluenceJohnsonFilter_already_filtered: true
javax.servlet.error.message: 
com.opensymphony.sitemesh.APPLIED_ONCE: true
com.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true
__cleanup_recursion_counter: 0
com.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true
javax.servlet.error.exception: javax.servlet.ServletException: Filter execution threw an exception
javax.servlet.error.request_uri: /dashboard.action
--------------------------
Parameters
--------------------------
caused by: javax.servlet.ServletException: Filter execution threw an exception
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:259)
caused by: java.lang.IllegalAccessError: tried to access method com.atlassian.confluence.event.events.security.SecurityEvent.<init>(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V from class shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator
at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.loginSuccessful(RemoteUserAuthenticator.java:843)
garysweaver commented 11 years ago

Thanks for the report!

Looks like this is failing:

getEventPublisher().publish(new LoginEvent(this, username, request.getSession().getId(), remoteHost, remoteIP));

Can't fix right now, but should be able to take a look this evening.

If you want to follow the setup in the README, you might be able to work on a fix also.

Here is what Joe Clark (Atlassian Dev Relations) had done last year: https://bitbucket.org/jaysee00/example-confluence-sso-authenticator/src/381eb95ebc08/src/main/java/com/atlassian/confluence/seraph/example/ExampleSSOAuthenticator.java#cl-120

i.e.

        putPrincipalInSessionContext(request, user);
        getElevatedSecurityGuard().onSuccessfulLoginAttempt(request, username);
        // Firing this event is necessary to ensure the user's personal information is intialised correctly.
        getEventPublisher().publish(new LoginEvent(this, username, request.getSession().getId(), remoteHost, remoteIP));
        LoginReason.OK.stampRequestResponse(request, response);
        log.info(String.format("Login for user %s successful.", username));
        return user;

One difference is that he is using getElevatedSecurityGuard() and we were using:

        getLoginManager().onSuccessfulLoginAttempt(username, request);

But there are probably other differences, even though they weren't mentioned in what I had received here:

I've just ensured that the authenticator shows up in marketplace as incompatible with 5.x until we can get this worked out.

garysweaver commented 11 years ago

Note that I'll be relying on you to test any changes I make, because I don't have a shib test environment at home yet. Hope that is ok.

garysweaver commented 11 years ago

One other very important thing. The version of Confluence in the pom.xml right now is still 4.x. Will need to modify that. In the pom.xml make it look like this and just see whether it compiles at first (hopefully have IDea or something available that will inspect and help a bit at least determining if method sigs changed).

<modelVersion>4.0.0</modelVersion>
<groupId>shibauth</groupId>
<artifactId>remoteUserAuth</artifactId>
<version>2.2.0-SNAPSHOT</version>
<properties>
    <confluence.version>5.0.2</confluence.version>
    <!-- Look at pom.xml in confluence version in https://maven.atlassian.com/content/repositories/atlassian-public/com/atlassian/confluence/confluence-project/ -->
    <crowd.version>2.6.0</crowd.version>
    <crowd.embedded.version>1.6</crowd.embedded.version>
</properties>

Pull reqs welcome, of course.

bananastalktome commented 11 years ago

I changed pom.xml to reference Confluence version 5.0.1 and, from build errors, found that I had to also include an additional parameter expected by the 'LoginEvent' constructor which was added in Confluence 5. The additional parameter is string loginSource, as per http://docs.atlassian.com/atlassian-confluence/5.0/com/atlassian/confluence/event/events/security/LoginEvent.html, which I set as LoginEvent.UNKNOWN because a) it worked and b) I don't know what it's for.

Changing those two pieces alone provides successful shib login (YAY!), and I didn't have to muck with the getElevatedSecurityGuard() vs getLoginManager() piece to get it working.

That all said, I don't know how this will work between 4.x and 5.x users.

ps. And also, I'm happy to test builds.

garysweaver commented 11 years ago

That's great!

Reading that javadoc, UNKNOWN sounds to be the best choice, although imo it should be called OTHER (but I won't argue over it since it's already published :) ).

If it's incompatible with Confluence 4.1-4.x (and before) that's fine, it just need to be a v2.2.0-SNAPSHOT as mentioned above and then we can release as 2.2.0 which will be Confluence 5.x compatible (actually I have to specifically state the version range in marketplace that is compatible, but that's just informational in the case of the authenticator since it can't be installed from within the app). Probably won't use major version change (3.0.0) for the authenticator version until we support passing info via the environment vs. headers (requested feature from the Shibboleth folks for some time, but I've not had time to work on it mostly because it would require testing :) ).

Thanks for the offer to test! I'll take you up on it. Feel free to pull req and then link to this ticket. Thanks again!

garysweaver commented 11 years ago

Thanks for the help! Will close this on release, hopefully tonight, then I could use your help testing it tomorrow if ok.

garysweaver commented 11 years ago

(Release should be identical to what you have except for version.)

garysweaver commented 11 years ago

Released in 2.2.0. Thanks!

https://github.com/chauth/confluence_http_authenticator/blob/master/releases/remoteUserAuth-2.2.0.jar

garysweaver commented 11 years ago

Please test and let me know if it works for you.

bananastalktome commented 11 years ago

@garysweaver Tested and shib login work great in Confluence 5.0 with v2.2.0 of the authenticator. Thanks!

garysweaver commented 11 years ago

Cool. Thanks for your contribution!