ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading

we have upgraded the confluence version to 7.5 and during this process we had to force migrate on to a new server due to some hard ware issues.

After the migration we are not able to authenticate confluence with jira. We are getting an error 

" com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. client.forbidden.exception Go to JIRA home". 

 

On Googling , i saw a document saying to create an application in the jira server under user management > jira user servers. how ever in the jira i'm not able to find the option "JIRA User Server" . Am i missing some thing here. This was working fine before upgrade.

1 answer

0 vote

It sounds like you're using Jira Server to host a user server for Confluence.  Since you had to change servers for this upgrade of Confluence, what likely happened is that this new server has a different IP address than the old one.

As a result, the new server cannot communicate with Jira in order to make sure these users can authenticate in Confluence.   If that is the case, then the easiest solution is to change the IP of the new confluence server to be the address of the old server and restart.  That should fix this.

If for some reason you can't do this, then you will likely need to follow the steps in Restore Passwords To Recover Admin User Rights in order to login with a local confluence admin account first.   You would need to do this to be able to reconfigure Confluence to connect to your Jira instance.

Once that is done, you might then also need to update Jira to tell it the new IP address of this new Confluence instance.  Steps to do that are in Allowing connections to JIRA for user management.

Hello Andrew,

Thank you for the reply. I have solved the issue with the help for the following link, seems like it is a bug in Jira.

https://community.atlassian.com/t5/Jira-questions/How-do-I-enable-JIRA-User-Server/qaq-p/423016

 

http://localhost:8080/secure/admin/ConfigureCrowdServer.jspa using this link directly I was able to add the application and configured the confluence.

//Sathish

Glad to hear that you found a solution.  However I don't think that the bug you referenced is the actual cause in this situation.  That bug was in reference to functional differences after migrating from Jira Cloud to Jira Server.  Also, that bug was fixed over 3 years ago.

In this case, since the IP address would have likely changed for the confluence instance, that seems like the most likely cause here.

You should still be able to navigate within Jira by going to Cog Icon -> User Management -> Jira user server to access this. Alternatively, you can also press the 'G' key twice in order to bring up a shortcut menu where you can then search for the "Jira user server" as another way to reach this.

If you are not seeing this menu item, and you are logged into Jira as a system administrator, then I would be interested to learn more about your Jira instance to understand why that menu item might not be appearing there.   If that is the case, please let me know what version of Jira this is as well.

Regards,
Andy

Hello Andrew,

I'm also struggling with the same problem. The worse thing is, the way you mentioned - Restore Passwords To Recover Admin User Rights - is also not working.

I have modified setenv.sh as below and restart confluence (I even restarted Jira in advance just for sure)

 

...
CATALINA_OPTS="-Dconfluence.context.path=${CONFLUENCE_CONTEXT_PATH} ${CATALINA_OPTS}"
CATALINA_OPTS="-Datlassian.recovery.password=admin ${CATALINA_OPTS}"

export CATALINA_OPTS

 

But I still cannot login with recovery_admin - only the error message saying "Sorry, an error occurred trying to log you in. Please try again."

Could you give me any advice on this?

 

Regards,

Ikhoon

What version of Confluence do you have?  What version of Jira?  Are you using Crowd with Confluence as well? 

It's possible the instructions to follow for Confluence could be different between the versions.  So it's important to make sure you find the version of the document that matches your version of confluence.  You can find this in the top right corner of that document.

Also try to use a unique temporary password.

If it's still failing, try to look into the $CONFHome/logs/atlassian-confluence.log file to see what kind of error might be thrown in the logs when this login fails.

Jira 7.4.1 and Confluence 6.3.1 are used, but no Crowd.

And below is the log when I try to login with 'recovery_admin' (or any other account actually)

I replaced our domain name in below log with '(Our Domain)' - Jira and Confluence are running under the same domain name but port is different (Confluence's port is 12013 but Jira's port is 80)

 

2018-03-19 16:24:56,599 ERROR [http-nio-12013-exec-3] [crowd.manager.application.ApplicationServiceGeneric] authenticateUser Directory 'Remote JIRA Directory' is not functional during authentication of 'recovery_admin'. Skipped.
-- referer: http://(Our Domain):12013/login.action?os_destination=%2Findex.action&permissionViolation=true | url: /dologin.action | traceId: fd167642c596170e
2018-03-19 16:24:56,601 WARN [http-nio-12013-exec-3] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:
->[com.atlassian.confluence.user.DefaultUserAccessor.authenticate]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #1901113736)
-- referer: http://(Our Domain):12013/login.action?os_destination=%2Findex.action&permissionViolation=true | url: /dologin.action | traceId: fd167642c596170e
2018-03-19 16:24:56,603 WARN [http-nio-12013-exec-3] [atlassian.confluence.user.ConfluenceAuthenticator] authenticate OperationFailedException caught while authenticating user <recovery_admin>.
-- referer: http://(Our Domain):12013/login.action?os_destination=%2Findex.action&permissionViolation=true | url: /dologin.action | traceId: fd167642c596170e
com.atlassian.crowd.exception.runtime.OperationFailedException
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:945)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:87)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:302)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at com.atlassian.spring.interceptors.SpringProfilingInterceptor.invoke(SpringProfilingInterceptor.java:16)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
...
...
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1533)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1489)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. client.forbidden.exception Go to JIRA home
at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.throwError(RestExecutor.java:614)
at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:417)
at com.atlassian.crowd.integration.rest.service.RestCrowdClient.authenticateUser(RestCrowdClient.java:162)
at com.atlassian.crowd.directory.RemoteCrowdDirectory.authenticate(RemoteCrowdDirectory.java:194)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:272)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:183)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:311)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:198)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:75)
... 188 more



Hi @Ikhoon Chon

Looking at your stacktrace, it looks like the recovery_admin account is also trying to use the Jira server to authenticate.  In this situation, those steps won't work because your confluence instance can't reach this Jira server.

Instead I would recommend trying to follow the steps in this KB Restore Passwords To Recover Admin User Rights.  Since Jira is setup to be your user server, the steps are the same here as if you had Crowd configured to be the user server for Confluence.   The steps in this other KB will have you reset the password for an admin account that exists in the internal directory and then change the user directory order to make sure that this internal directory is on top.  Following these steps instead will allow you to at least login to Confluence as an admin. From there you can then change the user directory settings as needed.

Thanks, Andrew.

That's the correct guide, now I can finally log in Confluence with admin.

Still I can see Forbidden(403) error msg, but I will try to solve it referring to your first answer for this thread.

I will let you know when it works.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Asked May 24, 2018 in Confluence

What are the resources that you use to learn more about Atlassian Products?

I am gathering information about resources available for Atlassian product knowledge transferring for a presentation in our local Atlassian User Group. I want to group them in four categories From ...

613 views 18 16
View question

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you