Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-2777

Crowd SSO can fail when x-forwarded-for contains port number

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Won't Fix
    • None
    • SSO
    • None
    • 1

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      When using a proxy it is possible that the x-forwarded-for will contain the port and more importantly change the port number per connection. This breaks SSO as the newly created port number is different from a sperate connection, thus changing the token.

      You will have entries in log similar to the following which specify the port and not just the IP to be used.

      com.atlassian.crowd.model.authentication.ValidationFactor@6a8768[name=remote_address,value=10.80.47.22]com.atlassian.crowd.model.authentication.ValidationFactor@1dfe824[*name=X-Forwarded-For,value=10.19.73.9:53672*]

            [CWD-2777] Crowd SSO can fail when x-forwarded-for contains port number

            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow [ 3388448 ] New: JAC Suggestion Workflow 3 [ 3630460 ]
            Status Original: RESOLVED [ 5 ] New: Closed [ 6 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 [ 1389897 ] New: JAC Suggestion Workflow [ 3388448 ]
            Issue Type Original: Improvement [ 4 ] New: Suggestion [ 10000 ]
            Owen made changes -
            Workflow Original: Crowd Development Workflow v2 [ 372702 ] New: Simplified Crowd Development Workflow v2 [ 1389897 ]
            joe made changes -
            Resolution New: Won't Fix [ 2 ]
            Status Original: Open [ 1 ] New: Resolved [ 5 ]
            Justin Koke made changes -
            Issue Type Original: Bug [ 1 ] New: Improvement [ 4 ]

            joe added a comment -

            Looks like this header may be due to IIS's Application Request Routing, following the suggestion in JIRA, Fisheye and IIS7 using Application Request Routing.

            The Microsoft documentation suggests an option:

            Element Name Description
            Include TCP port from client IP Select this option to include the TCP port from the client IP address.

            Turning this off may produce the more common portless format.

            Otherwise, questions like this one suggest that ARR may also wrap hostnames in square brackets, so we'd need to cover that format too.

            joe added a comment - Looks like this header may be due to IIS's Application Request Routing, following the suggestion in JIRA, Fisheye and IIS7 using Application Request Routing . The Microsoft documentation suggests an option: Element Name Description Include TCP port from client IP Select this option to include the TCP port from the client IP address. Turning this off may produce the more common portless format. Otherwise, questions like this one suggest that ARR may also wrap hostnames in square brackets, so we'd need to cover that format too.

            joe added a comment -

            Here's one, in a description of a patch for iisnode: issue 94. So, not unheard of.

            joe added a comment - Here's one, in a description of a patch for iisnode : issue 94 . So, not unheard of.

            joe added a comment -

            The de-facto standard X-Forwarded-For header doesn't usually include a port number (http://en.wikipedia.org/wiki/X-Forwarded-For), and I haven't found an implementation that does. For compatibility, we would probably simply ignore the port component.

            Work to standardise that header as 'Forwarded' uses a new syntax which currently includes a port (http://tools.ietf.org/html/draft-petersson-forwarded-for-02), along with a number of other changes.

            joe added a comment - The de-facto standard X-Forwarded-For header doesn't usually include a port number ( http://en.wikipedia.org/wiki/X-Forwarded-For ), and I haven't found an implementation that does. For compatibility, we would probably simply ignore the port component. Work to standardise that header as 'Forwarded' uses a new syntax which currently includes a port ( http://tools.ietf.org/html/draft-petersson-forwarded-for-02 ), along with a number of other changes.
            AndrewA created issue -

              Unassigned Unassigned
              acampbell AndrewA
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: