[CWD-2777] Crowd SSO can fail when x-forwarded-for contains port number

Type: Suggestion
Resolution: Won't Fix
Fix Version/s: None
Component/s: SSO
Labels:
None

Support reference count:
1
Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

When using a proxy it is possible that the x-forwarded-for will contain the port and more importantly change the port number per connection. This breaks SSO as the newly created port number is different from a sperate connection, thus changing the token.

You will have entries in log similar to the following which specify the port and not just the IP to be used.

com.atlassian.crowd.model.authentication.ValidationFactor@6a8768[name=remote_address,value=10.80.47.22]com.atlassian.crowd.model.authentication.ValidationFactor@1dfe824[*name=X-Forwarded-For,value=10.19.73.9:53672*]

Form Name

joe added a comment - 06/Mar/2012 2:43 AM

Looks like this header may be due to IIS's Application Request Routing, following the suggestion in JIRA, Fisheye and IIS7 using Application Request Routing.

The Microsoft documentation suggests an option:

Element Name	Description
Include TCP port from client IP	Select this option to include the TCP port from the client IP address.

Turning this off may produce the more common portless format.

Otherwise, questions like this one suggest that ARR may also wrap hostnames in square brackets, so we'd need to cover that format too.

joe added a comment - 06/Mar/2012 2:43 AM Looks like this header may be due to IIS's Application Request Routing, following the suggestion in JIRA, Fisheye and IIS7 using Application Request Routing . The Microsoft documentation suggests an option: Element Name Description Include TCP port from client IP Select this option to include the TCP port from the client IP address. Turning this off may produce the more common portless format. Otherwise, questions like this one suggest that ARR may also wrap hostnames in square brackets, so we'd need to cover that format too.

joe added a comment - 26/Feb/2012 11:32 PM

Here's one, in a description of a patch for iisnode: issue 94. So, not unheard of.

joe added a comment - 26/Feb/2012 11:32 PM Here's one, in a description of a patch for iisnode : issue 94 . So, not unheard of.

joe added a comment - 26/Feb/2012 11:22 PM

The de-facto standard X-Forwarded-For header doesn't usually include a port number (http://en.wikipedia.org/wiki/X-Forwarded-For), and I haven't found an implementation that does. For compatibility, we would probably simply ignore the port component.

Work to standardise that header as 'Forwarded' uses a new syntax which currently includes a port (http://tools.ietf.org/html/draft-petersson-forwarded-for-02), along with a number of other changes.

joe added a comment - 26/Feb/2012 11:22 PM The de-facto standard X-Forwarded-For header doesn't usually include a port number ( http://en.wikipedia.org/wiki/X-Forwarded-For ), and I haven't found an implementation that does. For compatibility, we would probably simply ignore the port component. Work to standardise that header as 'Forwarded' uses a new syntax which currently includes a port ( http://tools.ietf.org/html/draft-petersson-forwarded-for-02 ), along with a number of other changes.

Assignee:: Unassigned

Reporter:: AndrewA

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 24/Feb/2012 9:42 PM

Updated:: 19/Sep/2019 5:51 AM

Resolved:: 01/Nov/2012 8:28 AM

Details

Description

Attachments

Forms

Activity

Collapse comment: joe added a comment - 06/Mar/2012 2:43 AM

Expand comment: joe added a comment - 06/Mar/2012 2:43 AM

Collapse comment: joe added a comment - 26/Feb/2012 11:32 PM

Expand comment: joe added a comment - 26/Feb/2012 11:32 PM

Collapse comment: joe added a comment - 26/Feb/2012 11:22 PM

Expand comment: joe added a comment - 26/Feb/2012 11:22 PM

People

Dates