'Collection is empty' exception on submit

Hi,

since we applied the changes to our plugin (written in Java using ACSB 2.2.3) because of Action required: Atlassian Connect vulnerability allows bypass of app qsh verification via context JWTs we get the following error when submitting our configuration page:

java.lang.IllegalArgumentException: Collection is empty
        at java.util.EnumSet.copyOf(EnumSet.java:174)
        at org.springframework.boot.web.error.ErrorAttributeOptions.excluding(ErrorAttributeOptions.java:79)
        at com.atlassian.connect.spring.internal.AtlassianConnectErrorController.error(AtlassianConnectErrorController.java:44)

We have the following in our atlassian-connect.json:

    "authentication": {
        "type": "jwt"
    },
    "apiMigrations": {
        "context-qsh": true,
        "signed-install": true
    },
    "lifecycle": {
        "installed": "/installed",
        "uninstalled": "/uninstalled"
    },
    "scopes": [
        "READ",
        "WRITE",
        "ACT_AS_USER"
    ],

As the exception occurs in the ACSB code we are not sure how we can solve that problem.
Can anybody please help with that problem?

Thanks in advance,
Matthias

@matthias1 that sounds strange.

The stack trace you have posted may be a bug in atlassian-connect-spring-boot 2.2.2. But if you are h the ErrorController, it means your app has thrown an exception somewhere else, and Spring Boot is trying to serialize a response for it. Have you found what the original error was?

Have you upgraded to Spring Boot 2.5, the latest minor version? atlassian-connect-spring-boot 2.2.2 may require running against Spring Boot 2.5. Our test suite runs fine against Spring Boot 2.4.5, but there may be a corner case here that we don’t have covered.

Hi @epehrson,

thanks for the hint: I indeed was using an older version of Spring Boot. I changed that and am now waiting for response from testing. This may take some time, due to holidays.

Will update this ticket as soon as I get feedback.

Hi @epehrson ,

the original error is gone. Thanks again for the hint to update to Spring Boot 2.5.4.

However, we now get an ‘401 UNAUTHORIZED’ when saving our configuration. A bit strange, because reading the configuration from Hira (which also requires authentication) succeeds.

Here’s the log of the last successful GET:

2021-10-13 06:42:03,194 https-jsse-nio-8443-exec-4 DEBUG org.apache.http.headers onRequestSubmitted http-outgoing-1 >> GET /rest/api/2/issuetype HTTP/1.1
2021-10-13 06:42:03,196 https-jsse-nio-8443-exec-4 DEBUG org.apache.http.headers onRequestSubmitted http-outgoing-1 >> Accept: text/plain, application/json, application/*+json, */*
2021-10-13 06:42:03,196 https-jsse-nio-8443-exec-4 DEBUG org.apache.http.headers onRequestSubmitted http-outgoing-1 >> User-Agent: atlassian-connect-spring-boot/2.2.3
2021-10-13 06:42:03,202 https-jsse-nio-8443-exec-4 DEBUG org.apache.http.headers onRequestSubmitted http-outgoing-1 >> Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJxc2giOiI0N2E1MGJlY2Y5YjI2N2JiYzZkM2U0NGZjZDQzZDRjNTFmOWM1MDMwNThkMzUzZjQ1YTBkOWI3YjdkZTU1ZmYxIiwiaXNzIjoiY29tLnhxdWFsLmppcmEuamlyYS14c3R1ZGlvLWNvbm5lY3QtcGx1Z2luIiwiZXhwIjoxNjM0MTA3NTAzLCJpYXQiOjE2MzQxMDczMjN9.2FCRiUYKAxGBPQvOnI-QdIhTw2c7Y537Mxgb7vLbqO8

...
2021-10-13 06:42:03,584 https-jsse-nio-8443-exec-4 DEBUG c.x.jira.xstudio.helper.JiraHelper getJiraValue [XQUAL JH  ] result=<200,[{"self":"https://xqual-dev.atlassian.net/rest/api/2/issuetype/10002","id":"10002","description":"A task that needs to be done.","iconUrl":"https://xqual-dev.atlassian.net/secure/viewavatar?size=medium&avatarId=10318&avatarType=issuetype","name":"Task","untranslatedName":"Task","subtask":false,"avatarId":10318,"hierarchyLevel":0},{"self":"https://xqual-dev.atlassian.net/rest/api/2/issuetype/10000","id":"10000","description":"A big user story that needs to be broken down. Created by Jira Software - do not edit or delete.","iconUrl":"https://xqual-dev.atlassian.net/images/icons/issuetypes/epic.svg","name":"Epic","untranslatedName":"Epic","subtask":false,"hierarchyLevel":1},{"self":"https://xqual-dev.atlassian.net/rest/api/2/issuetype/10005","id":"10005","description":"","iconUrl":"https://xqual-dev.atlassian.net/secure/viewavatar?size=medium&avatarId=10300&avatarType=issuetype","name":"Mon nouvô type","untranslatedName":"Mon nouvô type","subtask":false,"avatarId":10300,"hierarchyLevel":0},{"self":"https://xqual-dev.atlassian.net/rest/api/2/issuetype/10004","id":"10004","description":"A problem which impairs or prevents the functions of the product.","iconUrl":"https://xqual-dev.atlassian.net/secure/viewavatar?size=medium&avatarId=10303&avatarType=issuetype","name":"Bug","untranslatedName":"Bug","subtask":false,"avatarId":10303,"hierarchyLevel":0},{"self":"https://xqual-dev.atlassian.net/rest/api/2/issuetype/10001","id":"10001","description":"Stories track functionality or features expressed as user goals.","iconUrl":"https://xqual-dev.atlassian.net/secure/viewavatar?size=medium&avatarId=10315&avatarType=issuetype","name":"Story","untranslatedName":"Story","subtask":false,"avatarId":10315,"hierarchyLevel":0},{"self":"https://xqual-dev.atlassian.net/rest/api/2/issuetype/10003","id":"10003","description":"The sub-task of the issue","iconUrl":"https://xqual-dev.atlassian.net/secure/viewavatar?size=medium&avatarId=10316&avatarType=issuetype","name":"Sub-task","untranslatedName":"Sub-task","subtask":true,"avatarId":10316,"hierarchyLevel":-1}],[Server:"AtlassianProxy/1.19.3.1", vary:"Accept-Encoding", cache-control:"no-cache, no-store, no-transform", Content-Type:"application/json;charset=UTF-8", Strict-Transport-Security:"max-age=315360000; includeSubDomains; preload", Date:"Wed, 13 Oct 2021 06:42:03 GMT", ATL-TraceId:"cd549de36e611ebe", x-arequestid:"f43f6f48-8988-4832-b35d-5d2d6f9ac632", x-aaccountid:"557058%3A16ead61c-2fb9-4a0e-a963-ecd920323281", X-XSS-Protection:"1; mode=block", Transfer-Encoding:"chunked", timing-allow-origin:"*", x-envoy-upstream-service-time:"319", X-Content-Type-Options:"nosniff", Connection:"keep-alive", Expect-CT:"report-uri="https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy", enforce, max-age=86400"]>
2021-10-13 06:42:03,585 https-jsse-nio-8443-exec-4 DEBUG c.x.jira.xstudio.helper.JiraHelper getJiraValue [XQUAL JH  ] Response status = 200 OK

But short after that we get the 401:

2021-10-13 06:42:08,843 https-jsse-nio-8443-exec-9 DEBUG c.a.c.s.i.a.AbstractConnectAuthenticationProvider verifyToken Verified JWT for host https://xqual-dev.atlassian.net (5eedb5f8-7df6-342a-a050-49eb1d53050a)
2021-10-13 06:42:08,843 https-jsse-nio-8443-exec-9 DEBUG c.a.c.s.i.a.AbstractConnectAuthenticationProvider computeQueryStringHash Canonical request for incoming JWT: [CanonicalHttpServletRequest@3f0e502b method = 'POST', relativePath = '/configuration', parameterMap = '[requirementIssueTypes -> (Task,Epic,Story),bugIssueTypes -> (Bug),xstudioBaseUrl -> (https://xqual-dev-eric2.myxqual.com/xqual/plugins/jira),username -> (admin),password -> (password),showInline -> (on),jwt -> (eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJjb20ueHF1YWwuamlyYS5qaXJhLXhzdHVkaW8tY29ubmVjdC1wbHVnaW4iLCJzdWIiOiI1NTcwNTg6OWIwM2YzNzktNjU5YS00MzAyLTg3MTMtZjE4NDNhZjczOTdjIiwiY2xpZW50S2V5IjoiNWVlZGI1ZjgtN2RmNi0zNDJhLWEwNTAtNDllYjFkNTMwNTBhIiwicXNoIjoiY29udGV4dC1xc2giLCJpc3MiOiJjb20ueHF1YWwuamlyYS5qaXJhLXhzdHVkaW8tY29ubmVjdC1wbHVnaW4iLCJleHAiOjE2MzQxMDgyMjIsImlhdCI6MTYzNDEwNzMyMn0.Or-wNZmM4tAtWupwg3XjnNznmV7g3uL95sRkn828t-o),save -> (Save),]']
2021-10-13 06:42:08,845 https-jsse-nio-8443-exec-9 TRACE o.s.web.servlet.DispatcherServlet traceDebug POST "/jira-xstudio-connect-plugin-6/configuration", parameters={masked}, headers={masked} in DispatcherServlet 'dispatcherServlet'
2021-10-13 06:42:08,846 https-jsse-nio-8443-exec-9 TRACE o.s.b.f.s.DefaultListableBeanFactory doGetBean Returning cached instance of singleton bean 'configurationController'
2021-10-13 06:42:08,846 https-jsse-nio-8443-exec-9 TRACE o.s.w.s.m.m.a.RequestMappingHandlerMapping getHandler Mapped to com.xqual.jira.xstudio.configuration.ConfigurationController#save(AddonConfig, AtlassianHostUser, Model)
2021-10-13 06:42:08,850 https-jsse-nio-8443-exec-9 DEBUG o.s.web.servlet.DispatcherServlet logResult Completed 401 UNAUTHORIZED, headers={masked}
2021-10-13 06:42:08,851 https-jsse-nio-8443-exec-9 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter doFilter Cleared SecurityContextHolder to complete request

Any idea why that happens?

Thanks,
Matthias

@matthias1, I’m afraid not. There are a whole bunch of cases related to JWT authentication when atlassian-connect-spring-boot returns a 401 error. Try raising the log level for com.atlassian.connect.spring.