Unable to connect to Jira for authentication - Forbidden 403

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

When trying to integrate Confluence to Jira for user management as described in Connecting to JIRA for User Management, it fails with either of the following errors in atlassian-confluence.log:

2015-03-01 14:13:51,381 ERROR [scheduler_Worker-1] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 131073 ].
com.atlassian.crowd.exception.OperationFailedException: com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. Go to JIRA home
	at com.atlassian.crowd.directory.RemoteCrowdDirectory.searchUsers(RemoteCrowdDirectory.java:378)
	at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.findAllRemoteUsers(RemoteDirectoryCacheRefresher.java:43)
	at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.synchroniseAllUsers(RemoteDirectoryCacheRefresher.java:62)
	at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:78)
	at com.atlassian.crowd.directory.ldap.cache.EventTokenChangedCacheRefresher.synchroniseAll(EventTokenChangedCacheRefresher.java:71)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:1008)
	at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:75)
	at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
	at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobBean.executeInternal(DirectoryPollerJobBean.java:29)
	at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:199)
	at com.atlassian.confluence.schedule.quartz.ConfluenceQuartzThreadPool$1.run(ConfluenceQuartzThreadPool.java:20)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)
Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. Go to JIRA home
	at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.throwError(RestExecutor.java:490)
	at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:344)
	at com.atlassian.crowd.integration.rest.service.RestCrowdClient.searchUsers(RestCrowdClient.java:511)
	at com.atlassian.crowd.directory.RemoteCrowdDirectory.searchUsers(RemoteCrowdDirectory.java:370)
	... 12 more

Cause

Confluence server could not connect or access to JIRA server due to the following causes:

  1. JIRA does not include the Confluence server IP or URL in JIRA User Server settings
  2. JIRA does not include the Confluence server IP or URL in the allowlist, even if both of them are located within the same server. 
  3. There is a proxy or firewall that blocks such access from Confluence to JIRA.

Resolution

  • Ensure that the Confluence server URL (or IP address) has been added to JIRA User Server or allowlist settings.
  • Configure any proxy or firewall (rules blocking the access, NAT or PAT, etc.) that might block such access. You might want to follow this method Configuring Web Proxy Support for Confluence or review the rules in your firewall or even the logs to see if these packages are being dropped.

  • Try bypassing the proxy. For instance, if both JIRA and Confluence are on the same server, use 127.0.0.1 to connect, instead. On Connecting to JIRA for User Management:

    • "Step 1: Go to your JIRA administration screen and define the Confluence application to JIRA", item 5, configure the following IPs:

      127.0.0.1
      ::1
      your.hostname
    • "Step 2: Set up the JIRA user directory in Confluence", item 4, configure http://127.0.0.1:port/context_path on the "Server URL" settings.

    • Alternatively, use the IPs of Confluence and JIRA if they have a direct connection to each other through the network.

    • The best approach is to identify the IP address in the access logs to check which IP address is coming into it. Based on that, we can add an IP range to fix this issue. We can check Proxy server access logs or enable Tomcat Valve logging to get more details. Add the following line within the <Context > ... </Context> tags declaration in Jira server.xml file, this will generate the Jira access logging and will capture the "/rest/usermanagement/1/search" rest request. 

      <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="jira_access_log" suffix=".log" pattern="%t %{X-AUSERNAME}o %{User-Agent}i %h %m %r %b %s %D %I" />



Last modified on Feb 29, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.