search

me0wster / javamelody

Automatically exported from code.google.com/p/javamelody
0 stars 0 forks source link

Monitoring URL /monitoring results in internal server error when viewed by non-admin user #192

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
In Bamboo 3.4.3 running on RHEL, I installed latest version of Java Melody 
plugin. It works fine when I am logged in as an admin, but when logged in as a 
non-admin and try to access the URL, even I would not expect to be able to, 
instead of a blank page or standard "access denied" message, I get an internal 
server error with this stack trace : 

Stack Trace: 

java.lang.IllegalStateException: java.lang.reflect.InvocationTargetException
    at net.bull.javamelody.JiraMonitoringFilter.hasBambooAdminPermission(JiraMonitoringFilter.java:209)
    at net.bull.javamelody.JiraMonitoringFilter.checkBambooAdminPermission(JiraMonitoringFilter.java:128)
    at net.bull.javamelody.JiraMonitoringFilter.hasNotPermission(JiraMonitoringFilter.java:70)
    at net.bull.javamelody.JiraMonitoringFilter.doFilter(JiraMonitoringFilter.java:60)
    at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
    at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
    at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
    at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1322)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:75)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1322)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:473)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:516)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:921)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:403)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:184)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:856)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:114)
    at org.eclipse.jetty.server.Server.handle(Server.java:352)
    at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:596)
    at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:1052)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:590)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:212)
    at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:426)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:510)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.access$000(SelectChannelEndPoint.java:34)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:450)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.GeneratedMethodAccessor738.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at net.bull.javamelody.JiraMonitoringFilter.hasBambooAdminPermission(JiraMonitoringFilter.java:202)
    ... 32 more
Caused by: java.lang.IllegalArgumentException: Unknown permission 'ADMIN'
    at org.springframework.util.Assert.isTrue(Assert.java:65)
    at com.atlassian.bamboo.security.acegi.acls.BambooPermission.buildFromName(BambooPermission.java:236)
    at com.atlassian.bamboo.security.BambooPermissionManagerImpl.hasPermission(BambooPermissionManagerImpl.java:72)
    at com.atlassian.bamboo.security.BambooPermissionManagerImpl.hasPermission(BambooPermissionManagerImpl.java:120)
    at sun.reflect.GeneratedMethodAccessor739.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:304)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at $Proxy81.hasPermission(Unknown Source)

Original issue reported on code.google.com by amyat...@gmail.com on 1 Mar 2012 at 4:20

GoogleCodeExporter commented 9 years ago 
I have changed the admin permission check for the new security API in Bamboo 
(v3.1+).
It is now fixed (revision 2560) and ready for the next release (1.36).
It should be compatible with Bamboo 2.x and 3.x.

If you want to try it, I have made a new build from the current and it is 
available at:
http://javamelody.googlecode.com/files/jira-javamelody-20120303.jar

Thanks

Original comment by evernat@free.fr on 3 Mar 2012 at 1:15