Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
5.2.3
-
None
-
1
-
Severity 3 - Minor
-
1
-
Description
Issue Descriptions
Intermittently login fails when using Crowd Authenticator
The issue might be intermittent if the X-forwarded headers have all random IP addresses between the Crowd app(AWS EC2) and ELB.
As per Crowd Documentation configuring a trusted proxy server means that Crowd will iterate through client IP address and IP addresses in the X-Forwarded-For header from right to left and pick the first IP address that is not a trusted proxy. The address is then used as the client's IP address.
If the IP address contains x.x.x.x:port, Crowd authentication fails with below error
2024-01-24 23:21:38,064 http-nio-8095-exec-4 ERROR [console.action.principal.AddPrincipal] java.net.UnknownHostException: X.X.X.X:<port>: invalid IPv6 address literal java.lang.RuntimeException: java.net.UnknownHostException: X.X.X.X:<port>: invalid IPv6 address literal at com.atlassian.crowd.manager.validation.XForwardedForUtil.getTrustedAddress(XForwardedForUtil.java:42)
Workaround
- If the customer is using AWS , reconfigure the AWS load balancer to exclude the port number from the header x-forwarded-for.
- This can be done by setting parameter routing.http.xff_client_port.enabled as false as described in the below documentation;
routing.http.xff_client_port.enable - Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false. The default is false.
Attachments
Issue Links
- is cloned by
-
KRAK-5644 Loading...