Connecting Confluence to Jira for user directory - Error 403 Forbidden

web-impressions December 28, 2018

Error message:
Verbindungstest fehlgeschlagen. Antwort vom Server:
com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. client.forbidden.exception Go to Jira home

What i did in Jira:
1) i disabled Secruity / Whitelist to ensure confluence is not blocked by jira
2) "Jira user server": i configured a "Application name" and "Password" (copy& paste to avoid typos) and the following list of allowed IPs:

192.168.8.102
confluence.fritz.box
::1
192.168.8.101
confluence
192.168.8.230
hypervisor
hypervisor.fritz.box
127.0.0.1

What i did in Confluence:
3) i configured to use URL "http://jira.fritz.box" and the same "Application name" and "Password" as above.
4) when clicking on "Test-Einstellungen" i get the above error

It was configured and working in earlyer versions of jira and confluence but failed somehow after migrating to IP and after updating to new version of both. I did not recognize that error in between, so i do not know after which change it got broken.

So maybe there is some bad (broken cache, now incompatible config, etc.) stuff in my home dir or in my database...

How to debug it further?

There is no network issue no firewall between jira and confluence. Nslookup, ping and curl is working between both containers. Application Links between jira and confluence are reported by jira and confluence as conneted. No timeouts in the logs. Above error seams to be an authentication issue / jira security feature.


Background:
Jira runs in a docker container. Its postgresql database server runs in another docker container. Both containers are in the same docker network (--net). Both container run on the same docker host (physical machine). Jira container is published as port 80 to a dedicated IP on that host (192.168.8.101:80:8080; host has multiple IPs assigned). My router (DNS) is resolving http://jira.fritz.box as 192.168.8.101.

Confluence runs in a docker container. Its postgresql database server runs in another docker container. Both containers are in the same docker network (--net; different to the docker network of jira). Both container run on the same docker host (physical machine). Confluence container is published as port 80 to a dedicated IP on that host (192.168.8.102:80:8080; host has multiple IPs assigned). My router (DNS) is resolving http://jira.fritz.box as 192.168.8.102


1 answer

1 accepted

1 vote
Answer accepted
web-impressions December 28, 2018

As both docker containers are on the same host, the communication is not going over the wire. There is dockerNet-to-dockerNet routing doing its job. Means: from perspective of jira container the request do not come from confluence IP (confluence is bound to 192.168.8.102:80), instead it reaches jira via the gateway (172.19.0.1 in my case) of jiras docker network. If i add that gateway IP to step (2) then it works. This is not a docker problem nor it is specific to docker. If you are not aware about NAT (network address translation) between jira and confluence this can make you struggle with above message - via google you find alot people stuggeling...

I really wonder why atlassian is using two different configuration implementations:
1) wizzard on frist confluence start and
2) a config in admin area

but not making the wizzard available in the admin area.
The wizzard is pretty cool, as it do not force you to create something in jira on your own - it does that for you. I would love to see atlassian adding the wizzard to the admin area:
a) "i am a jira admin" => wizzard
b) "i am not a jira admin" => classic config tool (put pimped with gateway IP detection from wizzard)

Docker users can find the gateway IP of jira container by running:

docker inspect jira7130 | jq '.[].NetworkSettings.Networks[].Gateway'

 And if you do not have jq installed run only the left part of the pipe and search for the gateway IP in the output. Replace jira7130 by the name of your jira container.

HeadPoint January 3, 2020

In case somebody faces the same issue and uses swarm mode: in swarm mode containers are being accessed via ingress network which is 10.255.0.0/24 and this address must be configured as an app ip.

Like # people like this
Mhasan January 20, 2020

@web-impressions hello

I have the same problem and I did as you said, but still receive the same error : Connection test failed. Response from the server: com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. client.forbidden.exception Go to Jira home 

 

 

when we first started the confluence and set the user directory to jira directory it worked. but then we had a problem and delete the application link and directory, now I cant add the same directory from admin panel.

 

any thought how to fix that?

 

thanks

Mohammadhasan

Pavel Junek
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 31, 2020

Hi @Mhasan,

I had the same problem as you, but once I added the IP address to "Jira user server settings", he mentioned @HeadPoint , it started working (IP for Swarm is 10.255.0.0/24).

@HeadPoint Many thanks for the help! 

Cheers,

Pavel

Pavel Junek
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 28, 2021

Or you can use in Jira user server setting (allowed IP Addresses):

 

By default Docker Swarm uses a default address pool 10.0.0.0/8 for global scope (overlay) networks.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events