I can create projects, but I cannot add access keys to projects, or ssh keys to people.
I've already gone through all 6 options here: https://confluence.atlassian.com/bitbucketserverkb/xsrf-security-token-missing-779171343.html
I can recreate the error when I bypass my proxy (eliminating #1).
I can recreate the error when I set 'server.secure=false', or simply remove 'server.secure=' from bitbucket.properties. (eliminating #2).
I am not running any other applications on the same URL path (eliminating #3).
I am not using Bitbucket Data Center (eliminating #4).
I am starting with https, and continuing with https on all requests (eliminating #5).
I never had a jvmRoute property, nor can I find any cluster.node.name property in any file (eliminating #6).
I've tried adding x-atlassian-token: no-check as a header with haproxy, and that didn't work.
I've tried looking for any way to disable xsrf security token checking on bitbucket, but there doesn't seem to be any option for it.
I've looked at all the logs, and don't see any xsrf related information anywhere.
On the first "add key", the URL seems the same.
When I click "Retry Operation", the URL changes to /mvc/xsrfNotification
When I click "Retry Operation" again, the URL changes to /mvc/null
UPDATE
I went so far as to decompile and edit the HttpSessionXsrfTokenGenerator class, and force hasValidToken to always return true:
public boolean hasValidToken(HttpServletRequest request) {
return true;
}
Despite this hard-forced override of any valid token check, I'm *still* getting:
XSRF Security Token Missing
Something tells me there's a deeper problem here than what the error message says.
UPDATE 2
When I manually hack the sal-core-4.4.0.jar, and com/atlassian/sal/core/xsrf/IndependentXsrfTokenValidator.java, I can disable the check and it works. I haven't been able to trace exactly why it's failing there for adding ssh keys.
