Crowd
  1. Crowd
  2. CWD-2777

Crowd SSO can fail when x-forwarded-for contains port number

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: SSO
    • Labels:
      None
    • Last commented by user?:
      true
    • Support reference count:
      1

      Description

      When using a proxy it is possible that the x-forwarded-for will contain the port and more importantly change the port number per connection. This breaks SSO as the newly created port number is different from a sperate connection, thus changing the token.

      You will have entries in log similar to the following which specify the port and not just the IP to be used.

      com.atlassian.crowd.model.authentication.ValidationFactor@6a8768[name=remote_address,value=10.80.47.22]com.atlassian.crowd.model.authentication.ValidationFactor@1dfe824[*name=X-Forwarded-For,value=10.19.73.9:53672*]
      

        Activity

        Hide
        Joseph Walton [Atlassian] added a comment -

        The de-facto standard X-Forwarded-For header doesn't usually include a port number (http://en.wikipedia.org/wiki/X-Forwarded-For), and I haven't found an implementation that does. For compatibility, we would probably simply ignore the port component.

        Work to standardise that header as 'Forwarded' uses a new syntax which currently includes a port (http://tools.ietf.org/html/draft-petersson-forwarded-for-02), along with a number of other changes.

        Show
        Joseph Walton [Atlassian] added a comment - The de-facto standard X-Forwarded-For header doesn't usually include a port number ( http://en.wikipedia.org/wiki/X-Forwarded-For ), and I haven't found an implementation that does. For compatibility, we would probably simply ignore the port component. Work to standardise that header as 'Forwarded' uses a new syntax which currently includes a port ( http://tools.ietf.org/html/draft-petersson-forwarded-for-02 ), along with a number of other changes.
        Hide
        Joseph Walton [Atlassian] added a comment -

        Here's one, in a description of a patch for iisnode: issue 94. So, not unheard of.

        Show
        Joseph Walton [Atlassian] added a comment - Here's one, in a description of a patch for iisnode : issue 94 . So, not unheard of.
        Hide
        Joseph Walton [Atlassian] added a comment -

        Looks like this header may be due to IIS's Application Request Routing, following the suggestion in JIRA, Fisheye and IIS7 using Application Request Routing.

        The Microsoft documentation suggests an option:

        Element Name Description
        Include TCP port from client IP Select this option to include the TCP port from the client IP address.

        Turning this off may produce the more common portless format.

        Otherwise, questions like this one suggest that ARR may also wrap hostnames in square brackets, so we'd need to cover that format too.

        Show
        Joseph Walton [Atlassian] added a comment - Looks like this header may be due to IIS's Application Request Routing, following the suggestion in JIRA, Fisheye and IIS7 using Application Request Routing . The Microsoft documentation suggests an option: Element Name Description Include TCP port from client IP Select this option to include the TCP port from the client IP address. Turning this off may produce the more common portless format. Otherwise, questions like this one suggest that ARR may also wrap hostnames in square brackets, so we'd need to cover that format too.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Last commented:
              2 years, 7 weeks, 1 day ago