java.lang.StackOverflowError

Atlassian JIRA | Ryan Goodwin [Atlassian] | 3 years ago
  1. 0

    Let's preface this with - custom authenticators are not supported nor are 3rd party add-ons, but there is likely a bug in the seraph api here that either needs documentation to be updated or a fix implemented. When using a custom authenticator (Confluence HTTP authenticator) authenticating against shibboleth, If getUserFromBasicAuthentication(request, response) is called on com.atlassian.seraph.auth.DefaultAuthenticator from within a custom authenticator's login method, it will loop forever.: {noformat} java.lang.StackOverflowError at net.sf.hibernate.impl.SessionImpl.<init>(SessionImpl.java:543) at net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:314) at net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:327) at net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:335) at org.springframework.orm.hibernate.HibernateTransactionManager.doBegin(HibernateTransactionManager.java:412) at org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:374) at org.springframework.transaction.interceptor.TransactionAspectSupport.createTransactionIfNecessary(TransactionAspectSupport.java:263) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:101) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at sun.proxy.$Proxy43.requiresElevatedSecurityCheck(Unknown Source) at com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard.performElevatedSecurityCheck(ConfluenceElevatedSecurityGuard.java:62) at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:507) at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699) at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:525) at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699) at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:525) at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699) {noformat} Report from the Confluence add-on developer's page: {panel} If getUserFromBasicAuthentication(request, response) is called on com.atlassian.seraph.auth.DefaultAuthenticator from within a custom authenticator's login method, it will loop forever. You understand that they do not support custom authenticators. You also understand that explaining to you how to use their API is not part of the support agreement of Confluence. However, there is a common problem with usage of their seraph API by an authenticator, and this may be a vector for a DoS attack on Confluence, since one request can take down the server. Further, it may be accidentally triggered by a space export when using a custom authenticator that calls that method from their authenticator's login method to allow basic auth for space export. In other words, unless there is a way to get this to work, they cannot claim to work with SSO's like Shibboleth. Tell them that you understand that they may have no way to fix this or provide a workaround, but that at the very least, they should (a) add to documentation about authenticator development to indicate that this method should not be called from an authenticator's login method (directly or indirectly) and that basic auth is not supported with custom authenticators fully which will affect some functionality of Confluence like the ability to export spaces, and (b) they should consider warning developers of known Confluence authenticators directly about this issue, since it is a possible attack vector. {panel} https://github.com/chauth/confluence_http_authenticator/issues/9 Answers post detailing the behavior and log result linked above: https://answers.atlassian.com/questions/183170/confluence-cli-with-confluence-http-authenticator-in-5-1

    Atlassian JIRA | 3 years ago | Ryan Goodwin [Atlassian]
    java.lang.StackOverflowError
  2. 0

    Let's preface this with - custom authenticators are not supported nor are 3rd party add-ons, but there is likely a bug in the seraph api here that either needs documentation to be updated or a fix implemented. When using a custom authenticator (Confluence HTTP authenticator) authenticating against shibboleth, If getUserFromBasicAuthentication(request, response) is called on com.atlassian.seraph.auth.DefaultAuthenticator from within a custom authenticator's login method, it will loop forever.: {noformat} java.lang.StackOverflowError at net.sf.hibernate.impl.SessionImpl.<init>(SessionImpl.java:543) at net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:314) at net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:327) at net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:335) at org.springframework.orm.hibernate.HibernateTransactionManager.doBegin(HibernateTransactionManager.java:412) at org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:374) at org.springframework.transaction.interceptor.TransactionAspectSupport.createTransactionIfNecessary(TransactionAspectSupport.java:263) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:101) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at sun.proxy.$Proxy43.requiresElevatedSecurityCheck(Unknown Source) at com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard.performElevatedSecurityCheck(ConfluenceElevatedSecurityGuard.java:62) at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:507) at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699) at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:525) at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699) at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:525) at shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699) {noformat} Report from the Confluence add-on developer's page: {panel} If getUserFromBasicAuthentication(request, response) is called on com.atlassian.seraph.auth.DefaultAuthenticator from within a custom authenticator's login method, it will loop forever. You understand that they do not support custom authenticators. You also understand that explaining to you how to use their API is not part of the support agreement of Confluence. However, there is a common problem with usage of their seraph API by an authenticator, and this may be a vector for a DoS attack on Confluence, since one request can take down the server. Further, it may be accidentally triggered by a space export when using a custom authenticator that calls that method from their authenticator's login method to allow basic auth for space export. In other words, unless there is a way to get this to work, they cannot claim to work with SSO's like Shibboleth. Tell them that you understand that they may have no way to fix this or provide a workaround, but that at the very least, they should (a) add to documentation about authenticator development to indicate that this method should not be called from an authenticator's login method (directly or indirectly) and that basic auth is not supported with custom authenticators fully which will affect some functionality of Confluence like the ability to export spaces, and (b) they should consider warning developers of known Confluence authenticators directly about this issue, since it is a possible attack vector. {panel} https://github.com/chauth/confluence_http_authenticator/issues/9 Answers post detailing the behavior and log result linked above: https://answers.atlassian.com/questions/183170/confluence-cli-with-confluence-http-authenticator-in-5-1

    Atlassian JIRA | 3 years ago | Ryan Goodwin [Atlassian]
    java.lang.StackOverflowError
  3. Speed up your debug routine!

    Automated exception search integrated into your IDE

  4. 0

    Unable to trace the source of a stack overflow error

    Stack Overflow | 5 years ago | David
    java.lang.StackOverflowError

    Not finding the right solution?
    Take a tour to get the most out of Samebug.

    Tired of useless tips?

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. java.lang.StackOverflowError

      No message provided

      at net.sf.hibernate.impl.SessionImpl.<init>()
    2. net.sf.hibernate
      SessionFactoryImpl.openSession
      1. net.sf.hibernate.impl.SessionImpl.<init>(SessionImpl.java:543)
      2. net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:314)
      3. net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:327)
      4. net.sf.hibernate.impl.SessionFactoryImpl.openSession(SessionFactoryImpl.java:335)
      4 frames
    3. Hibernate
      HibernateTransactionManager.doBegin
      1. org.springframework.orm.hibernate.HibernateTransactionManager.doBegin(HibernateTransactionManager.java:412)
      1 frame
    4. Spring Tx
      TransactionInterceptor.invoke
      1. org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:374)
      2. org.springframework.transaction.interceptor.TransactionAspectSupport.createTransactionIfNecessary(TransactionAspectSupport.java:263)
      3. org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:101)
      3 frames
    5. Spring AOP
      JdkDynamicAopProxy.invoke
      1. org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      2. org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
      2 frames
    6. sun.proxy
      $Proxy43.requiresElevatedSecurityCheck
      1. sun.proxy.$Proxy43.requiresElevatedSecurityCheck(Unknown Source)
      1 frame
    7. com.atlassian.confluence
      ConfluenceElevatedSecurityGuard.performElevatedSecurityCheck
      1. com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard.performElevatedSecurityCheck(ConfluenceElevatedSecurityGuard.java:62)
      1 frame
    8. com.atlassian.seraph
      DefaultAuthenticator.getUserFromBasicAuthentication
      1. com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:507)
      1 frame
    9. shibauth.confluence.authentication
      RemoteUserAuthenticator.login
      1. shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699)
      1 frame
    10. com.atlassian.seraph
      DefaultAuthenticator.getUserFromBasicAuthentication
      1. com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:525)
      1 frame
    11. shibauth.confluence.authentication
      RemoteUserAuthenticator.login
      1. shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699)
      1 frame
    12. com.atlassian.seraph
      DefaultAuthenticator.getUserFromBasicAuthentication
      1. com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromBasicAuthentication(DefaultAuthenticator.java:525)
      1 frame
    13. shibauth.confluence.authentication
      RemoteUserAuthenticator.login
      1. shibauth.confluence.authentication.shibboleth.RemoteUserAuthenticator.login(RemoteUserAuthenticator.java:699)
      1 frame