Preparing for Jira Software 10.0 and Jira Service Management 6.0 - multiple EAPs coming your way

Hi Guys,

In the latest version of EAP:

get contextPath from request for icons in web-item does not work, below is an example:

<web-item key="..." name="..." section="jira.project.sidebar.plugins.navigation" weight="1000">
        <link linkId="...">...</link>
        <icon height="16" width="16">
            <link>$req.contextPath/download/resources/com.myplugin.pl/sidebarIcon.png</link>
        </icon>
        <label key=".."/>
    </web-item>

I tried adding the entries below but unfortunately it still doesn’t work:

<velocity-allowlist key="..." name="...">
        ...
        <method>com.atlassian.jira.web.debug.BreakpointReadyHttpServletRequest#getContextPath()</method>
</velocity-allowlist>

and

<velocity-allowlist key="..." name="...">
        ...
        <method>javax.servlet.http.HttpServletRequest#getContextPath()</method>
</velocity-allowlist>

there is a lot of garbage in the logs regarding the quickreload app

2024-07-15 19:23:55,498+0200 http-nio-2990-exec-13 url: /jira/internal-error ERROR      [c.a.j.web.servlet.InternalServerErrorServlet] {errorId=6818b40e-40a2-4f5b-9ca4-a3b84c02776f, interpretedMsg=, cause=A MultiException has 1 exceptions.  They are:
    1. java.lang.NoSuchMethodException: Could not find a suitable constructor in com.atlassian.labs.plugins.quickreload.rest.BatchingResource class.
    , stacktrace=A MultiException has 1 exceptions.  They are:
        1. java.lang.NoSuchMethodException: Could not find a suitable constructor in com.atlassian.labs.plugins.quickreload.rest.BatchingResource class.
        
    	at org.jvnet.hk2.internal.Collector.throwIfErrors(Collector.java:65) [hk2-locator-2.6.1.jar:?]
    	at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1044) [hk2-locator-2.6.1.jar:?]
    	at org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:968) [hk2-locator-2.6.1.jar:?]
    	at org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1072) [hk2-locator-2.6.1.jar:?]
    	at org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1064) [hk2-locator-2.6.1.jar:?]
    	at org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:201) [jersey-hk2-2.42.jar:?]

Dark theme - when trying to turn it on

2024-07-15 20:00:36,407+0200 http-nio-2990-exec-9 url: /jira/internal-error ERROR      [c.a.j.web.servlet.InternalServerErrorServlet] {errorId=0fb5cb01-8cfd-4d5f-ac86-862b80cb6471, interpretedMsg=, cause=A MultiException has 1 exceptions.  They are:
    1. java.lang.NoSuchMethodException: Could not find a suitable constructor in com.atlassian.theme.user.PreferenceRestResource class.
    , stacktrace=A MultiException has 1 exceptions.  They are:
        1. java.lang.NoSuchMethodException: Could not find a suitable constructor in com.atlassian.theme.user.PreferenceRestResource class.
        
    	at org.jvnet.hk2.internal.Collector.throwIfErrors(Collector.java:65) [hk2-locator-2.6.1.jar:?]
    	at org.jvnet.hk2.internal.Utilities.justCreate(Utilities.java:1044) [hk2-locator-2.6.1.jar:?]
    	at org.jvnet.hk2.internal.ServiceLocatorImpl.create(ServiceLocatorImpl.java:968) [hk2-locator-2.6.1.jar:?]
    	at org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1072) [hk2-locator-2.6.1.jar:?]
    	at org.jvnet.hk2.internal.ServiceLocatorImpl.createAndInitialize(ServiceLocatorImpl.java:1064) [hk2-locator-2.6.1.jar:?]
    	at org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.createAndInitialize(AbstractHk2InjectionManager.java:201) [jersey-hk2-2.42.jar:?]

Cheers
Adam

I am testing my app against EAP06 and have problems with the allowlist.

My method invocations are blocked, even though I have them allowlisted.

My allowlist:

    <velocity-allowlist key="velocity-allowlist-myapp">
        <method>com.myapp.web.CustomMessageSource#getText(java.lang.String)</method>
        <method>com.atlassian.jira.config.properties.ApplicationPropertiesImpl#getText(java.lang.String)</method>
        <method>com.atlassian.jira.security.JiraAuthenticationContextImpl#getLocale()</method>
        <method>com.myapp.services.UserAndGroupService#getRemoteUserTimeZone()</method>
        <method>com.myapp.services.OnlineHelpLinkService#getPluginVersion()</method>
        <method>com.atlassian.jira.config.properties.ApplicationPropertiesImpl#getText(java.lang.String)</method>
    </velocity-allowlist>

And I get in the logs:

2024-07-16 07:27:25,420+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:25,431+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:25,431+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:25,431+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:25,431+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:25,431+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:25,431+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.atlassian.jira.config.properties.ApplicationPropertiesImpl#getText(java.lang.String)
2024-07-16 07:27:25,431+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.atlassian.jira.security.JiraAuthenticationContextImpl#getLocale()
2024-07-16 07:27:25,432+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.services.UserAndGroupService#getRemoteUserTimeZone()
2024-07-16 07:27:25,432+0000 http-nio-8080-exec-4 url: /secure/Myapp.jspa; user: admin WARN admin 447x380x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.services.OnlineHelpLinkService#getPluginVersion()
2024-07-16 07:27:26,482+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:26,482+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:26,482+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:26,482+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:26,482+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:26,482+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:26,483+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.web.CustomMessageSource#getText(java.lang.String)
2024-07-16 07:27:26,483+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.atlassian.jira.config.properties.ApplicationPropertiesImpl#getText(java.lang.String)
2024-07-16 07:27:26,483+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.atlassian.jira.security.JiraAuthenticationContextImpl#getLocale()
2024-07-16 07:27:26,483+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.services.UserAndGroupService#getRemoteUserTimeZone()
2024-07-16 07:27:26,483+0000 http-nio-8080-exec-5 url: /secure/Myapp.jspa; user: admin WARN admin 447x388x1 1soem64 192.168.178.73 /secure/Myapp.jspa [velocity] Invocation blocked as method is not allowlisted: com.myapp.services.OnlineHelpLinkService#getPluginVersion()

I followed the docs and I cannot see what I am doing wrong … any help appreciated

Hey,
Did you also configure the velocity engine like this?

Hi @clouless

in my case, when I added the com.atlassian.* method, the entire list was automatically disabled, try removing the Atlassian methods

Log

2024-07-16 10:10:39,153+0200 http-nio-2990-exec-12 url: /jira/rest/projects/1.0/sidebar/issue/AISM-1; user: admin WARN admin 610x22028x1 ycqayj 0:0:0:0:0:0:0:1 /rest/projects/1.0/sidebar/issue/AISM-1 [c.a
.v.a.impl.internal.PluginAllowlistConfigurator] Class com.atlassian.jira.web.debug.BreakpointReadyHttpServletRequest cannot be loaded - disabling Velocity Allowlist plugin module com.itlab.jira.plugins.ex
tender:extender-velocity-allowlist

Cheers
Adam

Hi @clouless I’d like to ask a question: did you check the logs in the previous EAP5 if there were any logs regarding methods which need allowlisting (DEBUG MODE: Method needs allowlisting: <method>) after you’ve added the list in the xml file? We would like to check if this is something which broke between EAP 5 and 6.

It seems that @adam.labus answer should help you. Thanks @adam.labus for pointing it out.

@clouless, is there a log-message indicating that you have an invalid allowlist-entry? At least for Confluence 9 there is, either when there is no method found for the entry, or when the method is not coming from “your” classloader.
@MaciejSzarecki, in case there is no such log-message in Jira 10: Please add it. That was highly useful for my Confluence9-compatibility work.

@adam.labus, @clouless and @AndreasEbert if you have some methods which are blocked and adding them in xml file is breaking your allowlists then please list them here we will check them and add if needed.

Thanks @AndreasEbert , @adam.labus , @MaciejSzarecki , @RobinDelmas ,

I think it was as Adam said, I needed to get rid of the atlassian packages in my allowlist.
I wrapped the methods in a simple service and now it works:

        <method>com.myapp.services.VelocityTemplateHelperService#getApplicationProperties_getJiraTitle()</method>
        <method>com.myapp.services.VelocityTemplateHelperService#getJiraAuthenticationContext_getLocale()</method>

And

package com.myapp.services;

import com.atlassian.jira.config.properties.ApplicationProperties;
import com.atlassian.jira.security.JiraAuthenticationContext;

// SPRING-BEAN
public class VelocityTemplateHelperService {

  private ApplicationProperties applicationProperties;
  private JiraAuthenticationContext jiraAuthenticationContext;

  public VelocityTemplateHelperService(ApplicationProperties applicationProperties, JiraAuthenticationContext jiraAuthenticationContext) {
    this.applicationProperties = applicationProperties;
    this.jiraAuthenticationContext = jiraAuthenticationContext;
  }

  public String getApplicationProperties_getJiraTitle() {
    return this.applicationProperties.getText("jira.title");
  }

  public String getJiraAuthenticationContext_getLocale() {
    return this.jiraAuthenticationContext.getLocale().toLanguageTag();
  }

}

@MaciejSzarecki

Methods for web-item icon - I’m not sure which one exactly, I see these two methods in the logs

<method>com.atlassian.jira.web.debug.BreakpointReadyHttpServletRequest#getContextPath()</method>
<method>javax.servlet.http.HttpServletRequest#getContextPath()</method>

Example:

<web-item key="..." name="..." section="jira.project.sidebar.plugins.navigation" weight="1000">
   <link linkId="...">...</link>
   <icon height="16" width="16">
      <link>$req.contextPath/download/resources/com.myplugin.pl/sidebarIcon.png</link>
   </icon>
   <label key=".."/>
</web-item>

The only log-spam I still see is this now. I am not sure what the origin of this is. Maybe it is unrelated to my app. Has anyone seen this too?

2024-07-16 09:05:30,814+0000 web-items-info-map-rebuild-throttle ERROR      [c.atlassian.velocity.DefaultVelocityManager] MethodInvocationException occurred getting message body from Velocity: java.lang.NullPointerException: Cannot invoke "String.length()" because "s" is null
java.lang.NullPointerException: Cannot invoke "String.length()" because "s" is null
	at java.base/java.net.URLEncoder.encode(URLEncoder.java:224)
	at java.base/java.net.URLEncoder.encode(URLEncoder.java:196)
	at com.atlassian.audit.frontend.util.URLEncoderUtil.encode(URLEncoderUtil.java:23)
	at jdk.internal.reflect.GeneratedMethodAccessor878.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:418)
	at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:407)
	at com.atlassian.velocity.htmlsafe.introspection.UnboxingMethod.invoke(UnboxingMethod.java:28)
	at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:270)
	at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:262)
	at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:342)
	at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:336)
	at org.apache.velocity.runtime.RuntimeInstance.render(RuntimeInstance.java:1267)
	at org.apache.velocity.runtime.RuntimeInstance.evaluate(RuntimeInstance.java:1206)
	at org.apache.velocity.runtime.RuntimeInstance.evaluate(RuntimeInstance.java:1155)
	at org.apache.velocity.app.VelocityEngine.evaluate(VelocityEngine.java:219)
	at com.atlassian.velocity.DefaultVelocityManager.writeEncodedBodyForContent(DefaultVelocityManager.java:75)
	at com.atlassian.jira.template.velocity.DefaultVelocityTemplatingEngine$DefaultRenderRequest.toWriterImpl(DefaultVelocityTemplatingEngine.java:129)
	at com.atlassian.jira.template.velocity.DefaultVelocityTemplatingEngine$DefaultRenderRequest.asPlainText(DefaultVelocityTemplatingEngine.java:108)
	at com.atlassian.jira.template.velocity.DefaultVelocityTemplatingEngine$DefaultRenderRequest$1.with(DefaultVelocityTemplatingEngine.java:92)
	at com.atlassian.jira.template.velocity.DefaultVelocityTemplatingEngine$DefaultRenderRequest$StringRepresentation.toString(DefaultVelocityTemplatingEngine.java:77)
	at com.atlassian.jira.template.velocity.DefaultVelocityTemplatingEngine$DefaultRenderRequest.asPlainText(DefaultVelocityTemplatingEngine.java:94)
	at com.atlassian.jira.plugin.webfragment.JiraWebFragmentHelper.getPlainText(JiraWebFragmentHelper.java:90)
	at com.atlassian.jira.plugin.webfragment.JiraWebFragmentHelper.renderVelocityFragment(JiraWebFragmentHelper.java:84)
	at com.atlassian.plugin.web.model.DefaultWebLink.getRenderedUrl(DefaultWebLink.java:32)
	at com.atlassian.jira.plugin.webfragment.model.JiraWebLink.getRenderedUrl(JiraWebLink.java:58)
	at com.atlassian.app.usage.core.features.user.interaction.servlet.service.WebItemModulesService.getWebItemUrl(WebItemModulesService.kt:124)
	at com.atlassian.app.usage.core.features.user.interaction.servlet.service.WebItemModulesService.rebuildCache(WebItemModulesService.kt:84)
	at com.atlassian.app.usage.core.features.user.interaction.servlet.service.WebItemModulesService$cacheRebuildScheduler$1.invoke(WebItemModulesService.kt:27)
	at com.atlassian.app.usage.core.features.user.interaction.servlet.service.WebItemModulesService$cacheRebuildScheduler$1.invoke(WebItemModulesService.kt:27)
	at com.atlassian.app.usage.core.modules.CacheRebuildScheduler$scheduleCacheRebuild$$inlined$timerTask$1.run(Timer.kt:149)
	at java.base/java.util.TimerThread.mainLoop(Timer.java:566)
	at java.base/java.util.TimerThread.run(Timer.java:516)

@clouless about all those com.atlassian methods (3) it seems that they are missing on our main allowlist - we will add them for the next EAP so you don’t need to do it

Yes, seeing and being annoyed by it also. I suspect this coming from Jira itself, not our apps.

@MaciejSzarecki

Next pack of methods

<method>com.riadalabs.jira.plugins.insight.services.jira.customfield.util.deprecated.RefCustomFieldVMUtils#getParentObjectMap()</method>
<method>com.atlassian.greenhopper.model.lexorank.LexoRank#toString()</method>
<method>com.atlassian.jira.web.debug.BreakpointReadyHttpServletRequest#getRequestURI()</method>
<method>com.atlassian.jira.datetime.DateTimeFormatterImpl#forLoggedInUser()</method>

Also

com.atlassian.jira.i18n.AbstractI18nResolver#getText(java.util.Locale java.lang.String)

Hi @clouless

As @adam / @MaciejSzarecki said.

Plugins may define their own allowlist using this module descriptor, which will supplement the global allowlist. Plugins can only define allowlist entries for their own classes.

Please see for more details: https://developer.atlassian.com/server/framework/atlassian-sdk/configuring-the-velocity-allowlist/
Thanks

Is there a way to customize or override Jackson ObjectMapper used in plugin REST v2?
Jackson Modules seem to be working, but I want to disable specific Jackson feature, which seems to be impossible via module API.

Is it possible to have news of the Atlassian Testkit please?

With all the changes in Jira 10, we noticed a huge regression in our integration tests…

Hi guys,

we encountered some issues regarding our REST endpoints that use the @Autowired annotation on the constructor. That results in warnings like

    MultiException stack 1 of 2
    java.lang.NoSuchMethodException: Could not find a suitable constructor in de.resolution.usersync.rest.NotificationRestResource class.

which can be mitigated by using @Inject instead.

However, to our knowledge both annotations should do the same in practice thus we were wondering if that was an intentional change?

Best regards,
Christopher

Hi! REST resource classes are instantiated by hk2 in jersey 2, hence Spring’s @Autowired will not work, it was an intentional change.

Hi! Currently it’s not possible for plugins to customize REST’s object mapper config.