Confluence isn't able to integrate to Hipchat as XSRF Checks Failed
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
User is not able to integrate Confluence and HipChat when following the steps provided in the Use HipChat and Confluence together documentation
The following appears in the atlassian-confluence.log:
2016-08-04 08:55:10,594 WARN [http-nio-8090-exec-19] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed
for request: <ConfluenceBaseURL>/rest/analytics/1.0/publish/bulk , origin: null , referrer: <ConfluenceBaseURL>/plugins/servlet/hipchat/configure , credentials in request: true , allowed via CORS: false
-- referer: <ConfluenceBaseURL>/plugins/servlet/hipchat/configure | url: /confluence/rest/analytics/1.0/publish/bulk | traceId: 906e4509a343baaf | userName: admin
...
2016-08-04 08:55:10,622 WARN [http-nio-8090-exec-18] [common.security.jersey.XsrfResourceFilter] passesAdditionalBrowserChecks Additional XSRF checks failed for request: <ConfluenceBaseURL>/rest/webResources/1.0/resources , origin: null , referrer: <ConfluenceBaseURL>/plugins/servlet/hipchat/configure , credentials in request: true , allowed via CORS: false
-- referer: <ConfluenceBaseURL>/plugins/servlet/hipchat/configure | url: /confluence/rest/webResources/1.0/resources | traceId: a8de9b55c5dcd7c1 | userName: adminDiagnosis
Environment
- Confluence is running behind HTTP based reversed proxy.
Cause
With the recent Cross Site Request Forgery (CSRF) protection changes in our Atlassian REST calls, some browser requests would be blocked if the origin of the request is not trusted. Thus, when Confluence is running behind a reverse proxy, Tomcat then must be made aware of the reverse proxy - this ensures that responses from Tomcat have the correct (trusted) hostname information. Having said that, the necessary reverse proxy information must be included in <Confluence-Installation>/conf/server.xml file.
For more information on this, please refer to Cross Site Request Forgery (CSRF) protection changes in Atlassian REST KB article.
Resolution
Please specify the necessary proxyName, proxyPort and scheme configurations to your <Confluence-Installation>/conf/server.xml file.
Example:
This is the default HTTP connector in Confluence 5.10.x:
<Connector port="5102" connectionTimeout="20000" redirectPort="8443" maxThreads="48" minSpareThreads="10" enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol"/>If you were configuring this proxy to be used at https://confluence.atlassian.com/ you would configure it like this:
<Connector port="5102" connectionTimeout="20000" redirectPort="8443" maxThreads="48" minSpareThreads="10" enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="confluence.atlassian.com" proxyPort="443" scheme="https" />