Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
1.6.2
-
None
Description
There's a bug in the Crowd Apache connector to do with the relative timeouts on the validity of app tokens. If the cache expiry time in the Apache connector is longer than the expiry time of the app token in Crowd, then the connector will use an expired app token (which it thinks is still valid) to authenticate principals. The problem is that when this principal authentication fails (which it will, because the app token is no longer valid), the apache connector doesn't dump the app token cache because it thinks that the authentication failed because the principal credentials were wrong.
This bug is easy to work around: always set the Apache connector expiry to something less than the Crowd server expiry.
(see CWDSUP-2050)