Bamboo login or any page with !method.action in the URL displays custom Access Denied error

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When trying to access the Bamboo login page or any other page within Bamboo that has !method.action (exclamation mark method dot action) in the URL, a custom Access Denied page is displayed.

Environment

  • KEMP Load Balancer with WAF enabled

  • Any WAF software running ModSecurity

Diagnosis

Generic:

  1. Tail the Bamboo access logs at $BAMBOO_INSTALL/logs/access_log.YYYY-MM-DD

  2. Visit $BAMBOO_BASE_URL/userlogin!doDefault.action in the browser

  3. A plain page simply with "Access Denied" is displayed (or another customer varient) which is not a Bamboo standard 403 or permission denied page.

  4. If the request does not show in the access logs, it was blocked by something else in-between.

Kemp specific:

Check the WAF logs for any blocked requests:

Example:

1 2021-06-14T12:36:12+08:00 HA-2 wafd: [client 172.0.0.1] ModSecurity: Access denied with connection close (phase 2). String match "!" at REQUEST_FILENAME. [file "/tmp/waf/18/modsecurity_slr_46_known_vulns.conf"] [line "497"] [id "2100076"] [msg "SLR: Apache Struts Dynamic Method Invocation Attempt"] [data "/userlogin!doDefault.action"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [tag "CVE-2013-4316"] [tag http://struts.apache.org/release/2.3.x/docs/s2-019.html] [hostname "192.168.1.1 (Bamboo)"] [uri "/userlogin!doDefault.action"] [unique_id "31f76e92-d20f-4efd-81a-642273ee61d7"}

Cause

It suggests something else is blocking the request. Any WAF running ModSecurity may be running a generic ruleset that blocks Apache Struts Dynamic Method Invocation.

Solution

Bamboo needs to be granted an exemption / exclusion in the WAF configuration.

Updated on March 18, 2025
Platform
Data Center only
Product
Bamboo Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community