Application Link authentication fails due to bad URL signature
Symptoms
When integrating JIRA with another Atlassian application (eg: Confluence, Fisheye) using application link, the applications couldn't authenticate to each other and the following WARN message will appear in the logs atlassian-jira.log file:
2013-05-17 09:02:11,287 http-bio-8081-exec-49 WARN mara 542x26597x1 1k9a2i5 192.168.11.222,0:0:0:0:0:0:0:1 /rest/applinks/1.0/permission/reciprocate-entity-create/a740ca68-a1de-3dd0-89ef-8f363372ee73 [apache.commons.httpclient.HttpMethodDirector] Unable to respond to any of these challenges: {oauth=OAuth realm="https%3A%2F%2Fcrucible.hotname"}
2013-05-17 09:02:11,288 http-bio-8081-exec-49 WARN mara 542x26597x1 1k9a2i5 192.168.11.222,0:0:0:0:0:0:0:1 /rest/applinks/1.0/permission/reciprocate-entity-create/a740ca68-a1de-3dd0-89ef-8f363372ee73 [apache.commons.httpclient.HttpMethodBase] Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
2013-05-17 09:02:11,288 http-bio-8081-exec-49 WARN mara 542x26597x1 1k9a2i5 192.168.11.222,0:0:0:0:0:0:0:1 /rest/applinks/1.0/permission/reciprocate-entity-create/a740ca68-a1de-3dd0-89ef-8f363372ee73 [applinks.core.rest.PermissionResource] Authentication failed for application link crucible (a740ca68-a1de-3dd0-89ef-8f363372ee73) http://localhost:8060 com.atlassian.applinks.application.fecru.FishEyeCrucibleApplicationTypeImpl@538d815. Response headers: {WWW-Authenticate=OAuth realm="https%3A%2F%2Fcrucible.hotname", Vary=Accept, Expires=Thu, 01-Jan-1970 00:00:00 GMT, Set-Cookie=FESESSIONID=4abciz4kqjnw1nekxe11p5144;Path=/;HttpOnly, X-Seraph-Trusted-App-Error=BAD_SIGNATURE; Bad signature for URL: {0}; ["https://crucible.hotname/rest/applinks/1.0/permission/create-entity/a3425419-3edd-3a7d-842f-a0753ab155f4"], X-Seraph-Trusted-App-Status=ERROR, Connection=close, Content-Type=application/xml, X-AUSERNAME=anonymous, Server=Jetty(6.1.26), Cache-Control=no-transform} body: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><status><status-code>401</status-code><message>Client must be authenticated to access this resource.</message></status>The following appears in the atlassian-fisheye-<date>.log:
2013-05-17 09:02:11,284 WARN [btpool0-358 ] com.atlassian.security.auth.trustedapps.filter.TrustedApplicationFilterAuthenticator TrustedApplicationFilterAuthenticator-authenticate - Failed to login trusted application: jira:10699348 due to bad URL signature.
2013-05-17 09:02:11,284 ERROR [btpool0-358 ] com.atlassian.fisheye.trustedapplications.FisheyeAuthenticationListener FisheyeAuthenticationListener-authenticationError - Error handling trusted applications authentication attempt:BAD_SIGNATURE; Bad signature for URL: {0}; ["https://crucible.hotname/rest/applinks/1.0/permission/create-entity/a3425419-3edd-3a7d-842f-a0753ab155f4"]Cause
- The Application Links are setup without going through proxy server but the proxy settings has been added to Fisheye/Crucible or JIRA.
- JIRA is running behind a proxy but does not have the proxy setting in
server.xml. - You are hitting this bug: JRA-34550 - Getting issue details... STATUS . Due to a bug in the Shared Access Layer, one of the libraries JIRA uses, attempts to connect over non-standard ports (such as 8443) will not work properly. This can cause AppLinks to fail when attempting to connect to JIRA as the 'Host' HTTP header is always missing the port, regardless of the actual URL.
Resolution
- Setup the Application Links using URL from proxy server (
https://proxy.server.hostnameinstead ofhttp://local.machine.name:8060). - Add proxy setting in Fisheye/Crucible and proxyName, proxyPort and scheme attributes to the <Connector/> in JIRA
server.xmlfile as in Integrating JIRA with Apache using SSL docs:
<Connector port="8080"
...
scheme="https"
proxyName="jira.example.com"
proxyPort="443"
/>3. Upgrade to JIRA 6.1.3 and above: JRA-34550 - Getting issue details... STATUS
Last modified on Nov 2, 2018
Powered by Confluence and Scroll Viewport.