Jira 8 internally upgrades to Atlassian Platform 5.0. This brings a change of autowire-mode from the deprecated 'auto-detect' to 'constructor'. As a result, older versions of Kantega Single Sign-on will not work at all on Jira 8, because core components like the AtlasKerbFilter relied on setter-injection and aren't initialized properly under Jira 8.
Crucially: This core authentication component sits on top of all of Jira when Kantega SSO is installed, and when not properly initialized, it becomes impossible to use the application.
The necessary Jira 8 compatibility fixes were released in Kantega Single Sign-on 3.4.7.
If Jira server is upgraded to version 8.x before upgrading Kantega Single Sign-on to at least version 3.4.7, you will run into the issue, preventing Jira from working at all.
How is the problem seen?
You will see something similar to this in the log:
java.lang.NullPointerException at org.kantega.atlaskerb.KerbConfManager.settings(KerbConfManager.java:493) [?:?] at org.kantega.atlaskerb.KerbConfManager.isPreemptiveAuthEnabled(KerbConfManager.java:197) [?:?] at org.kantega.atlaskerb.AtlasKerberosFilter.isMappedRequest(AtlasKerberosFilter.java:342) [?:?] at org.kantega.atlaskerb.AtlasKerberosFilter.doFilter(AtlasKerberosFilter.java:93) [?:?] at
And you will be unable to log into Jira.
How to solve
Ideally upgrade Kantega Single Sign-on to 3.4.7 or newer before upgrading to Jira 8.
If you did upgrade to Jira 8 with no easy way of rolling back, you will have to remove the Kantega Single Sign-on jar file manually in order to start up successfully again.
Removal is done by:
- navigating to: <jira_home>/plugins/installed-plugins
- and removing plugins containing 'kerberosauth' in name with command rm *kerberosauth*
After the removal, please restart Jira 8 and install Kantega Single Sign-on latest version. You will not lose your configuration by reinstalling.
See also details from Atlassian on how to uninstall apps manually/in the absence of UPM:
Future versions of other Atlassian products
Atlassian Platform 5.0 will trickle to other Atlassian products in the near future, so this will be relevant for more than just Jira.
To be clear, the compatible version range of Kantega SSO can be trusted (KSSO versions before 3.4.7 are not flagged as Jira 8 compatible). The problem is that when upgrading the Atlassian server product, it's possible to ignore/postpone add-on updates and so end up with an add-on version that's not compatible with the upgraded server. This is usually not a problem, but in rare cases like this, it can take the entire application down.